Conformance testing for typ in request object for FAPI1
Issue #705
new
As a result of https://bitbucket.org/openid/fapi/issues/684/typ-in-request-objects FAPI2 was updated to have some text around typ in request objects.
However as discussed on today’s WG call, the original interoperability problem occurred in FAPI1 and the certification team would appreciate guidance from the working group about what tests we should add to the FAPI1 test suite please.
interoperability here is important. I’d suggest that tests be added that ensure request objects that have no
typ
header are accepted as well as with atyp
header containing the following (non-exhaustive) list of legitimate and semantically equivalent values:
application/oauth-authz-req+jwt
APPLICATION/OAUTH-AUTHZ-REQ+JWT
Application/OAuth-Authz-Req+Jwt
application/OAuth-Authz-Req+jwt
APPLICATION/oauth-authz-req+JWT
application/oauth-authz-req+Jwt
Application/oauth-authz-req+JWT
oauth-authz-req+jwt
OAUTH-AUTHZ-REQ+JWT
Oauth-Authz-Req+Jwt
oauth-Authz-Req+jwt
OAUTH-authz-req+JWT
oauth-authz-req+Jwt
Oauth-authz-req+JWT
OAUTH-AUTHZ-REQ+jwt
OAUTH-authz-REQ+jwt
Oauth-Authz-REQ+Jwt
oauth-authz-REQ+jwt
OAUTH-AUTHZ-req+JWT
application/OAUTH-AUTHZ-REQ+jwt
application/oauth-AUTHZ-REQ+jwt
application/OAUTH-authz-req+Jwt
application/oauth-AUTHZ-req+JWT
application/oauth-AUTHZ-REQ+jwt
application/OAUTH-AUTHZ-req+jwt
application/oauth-AUTHZ-REQ+jwt
Application/OAUTH-AUTHZ-REQ+Jwt
APPLICATION/OAuth-AUTHZ-REQ+JWT
Oauth-authz-req+Jwt
OAUTH-authz-req+jWT
Oauth-Authz-Req+JWT
oauth-Authz-Req+JWT
oauth-authz-req+JwT
Oauth-AUTHZ-req+JWT
OAUTH-AUTHZ-REQ+Jwt
OAUTH-AUTHZ-REQ+Jwt
Oauth-AUTHZ-REQ+jWT
application/OAUTH-authz-req+JWT
APPLICATION/OAUTH-authz-REQ+Jwt
APPLICATION/OAUTH-Authz-REQ+jwt
application/oauth-Authz-Req+Jwt
Application/oauth-AUTHZ-REQ+jwt
application/oauth-Authz-REQ+Jwt
OAUTH-Authz-req+jwt
Oauth-authz-REQ+jwt
application/oauth-Authz-Req+jWT
application/Oauth-Authz-Req+Jwt
application/oauth-Authz-REQ+jWT
application/oauth-AUTHZ-Req+jwt
application/OAUTH-Authz-REQ+Jwt
Oauth-Authz-Req+jwt
oauth-authz-REQ+Jwt
Oauth-Authz-REQ+jWT
oauth-authz-req+JWT
Oauth-authz-REQ+JWT
OAUTH-AUTHZ-REQ+jwT
OAUTH-authz-REQ+Jwt
Oauth-AUTHZ-REQ+Jwt
Oauth-AUTHZ-req+Jwt
Oauth-AUTHZ-Req+Jwt
oauth-Authz-Req+Jwt
OAUTH-AUTHZ-REQ+JwT
application/oauth-Authz-Req+jWT
application/OAUTH-AUTHZ-req+Jwt
application/oauth-Authz-REQ+jwt
application/OAUTH-AUTHZ-REQ+jwt
Oauth-AUTHZ-Req+JWT
OAUTH-Authz-Req+jwt
Oauth-Authz-Req+Jwt
Oauth-authz-REQ+jwt
oauth-Authz-REQ+Jwt
application/oauth-Authz-req+jwt
APPLICATION/OAuth-authz-req+JWT
application/oauth-authz-req+JWT
application/oauth-authz-req+Jwt
application/OAUTH-AUTHZ-REQ+jwt
APPLICATION/oauth-authz-REQ+JWT
application/OAuth-Authz-req+jwt
oauth-AUTHZ-REQ+Jwt
Oauth-Authz-req+jWT
Oauth-AUTHZ-Req+jwt
application/oauth-authz-req+jwT
Oauth-authz-req+jWT
application/OAUTH-authz-req+Jwt
Oauth-Authz-req+Jwt
oauth-authz-REQ+jWT
application/OAUTH-Authz-req+JWT
application/oauth-authz-req+JwT
application/OAUTH-authz-req+JWT
application/OAuth-authz-req+Jwt
Oauth-Authz-REQ+Jwt
Oauth-authz-req+JWT
oauth-Authz-REQ+jWT
Oauth-authz-REQ+jWT
application/oauth-AUTHZ-Req+JWT
OAUTH-AUTHZ-REQ+jWt
OAUTH-AUTHZ-REQ+JWt
OAUTH-Authz-Req+jWT
Oauth-authz-Req+jWt
oauth-authz-Req+JWT
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+jwt
Oauth-authz-REQ+jwt
OAUTH-authz-REQ+Jwt
Oauth-Authz-req+jwt
OAUTH-Authz-Req+jWT
Oauth-Authz-req+JwT
OAUTH-Authz-req+Jwt
OAUTH-authz-Req+JWT
Oauth-authz-Req+JWT
Oauth-AUTHZ-req+Jwt
Oauth-AUTHZ-REQ+jwt
OAUTH-authz-Req+jWT
Oauth-AUTHZ-REQ+jwt
Oauth-authz-REQ+Jwt
Oauth-AUTHZ-Req+jwt
Oauth-AUTHZ-req+JWT
Oauth-Authz-REQ+JWT
Oauth-authz-req+jwt
Oauth-authz-Req+jwt
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-AUTHZ-req+JwT
Oauth-Authz-Req+jWT
Oauth-authz-Req+Jwt
Oauth-authz-REQ+JWT
Oauth-AUTHZ-Req+JWt
Oauth-Authz-Req+JWt
Oauth-AUTHZ-req+JWT
Oauth-AUTHZ-REQ+JWT
Oauth-AUTHZ-Req+jWt
Oauth-authz-Req+jWT
Oauth-authz-REQ+JWt
Oauth-AUTHZ-Req+jWT
Oauth-Authz-REQ+JWt
Oauth-AUTHZ-Req+JWt
Oauth-Authz-Req+jWt
Oauth-AUTHZ-REQ+jWt
Oauth-authz-req+JWt
Oauth-AUTHZ-req+JWt
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-Req+jWt
Oauth-Authz-REQ+JWt
Oauth-AUTHZ-req+JWt
Oauth-AUTHZ-Req+jWt
Oauth-AUTHZ-Req+jWT
Oauth-Authz-Req+jWt
Oauth-AUTHZ-REQ+jWT
Oauth-AUTHZ-Req+jWt
Oauth-authz-Req+JWt
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-AUTHZ-Req+JWt
Oauth-Authz-REQ+JWT
Oauth-authz-req+jWt
Oauth-AUTHZ-REQ+jWt
Oauth-AUTHZ-Req+JWT
Oauth-authz-REQ+JWt
Oauth-AUTHZ-REQ+jWT
Oauth-authz-Req+JWt
Oauth-AUTHZ-REQ+JWt
Oauth-authz-Req+JWT
Oauth-Authz-Req+JWT
Oauth-authz-req+jWT
Oauth-AUTHZ-REQ+JWT
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-AUTHZ-req+JWt
Oauth-authz-REQ+Jwt
Oauth-Authz-REQ+JWt
Oauth-AUTHZ-Req+JWt
Oauth-authz-Req+jWt
Oauth-AUTHZ-Req+jWt
Oauth-authz-req+JWT
Oauth-authz-Req+jWT
Oauth-AUTHZ-Req+JWT
Oauth-Authz-REQ+jWt
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-authz-REQ+JWT
Oauth-AUTHZ-Req+JWT
Oauth-authz-REQ+jWT
Oauth-AUTHZ-req+JWT
Oauth-authz-Req+Jwt
Oauth-Authz-Req+jWt
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-authz-req+JWt
Oauth-Authz-REQ+JWt
Oauth-authz-Req+jWt
Oauth-AUTHZ-Req+jWT
Oauth-authz-REQ+JWt
Oauth-AUTHZ-REQ+jWt
Oauth-authz-Req+JWT
Oauth-Authz-REQ+Jwt
Oauth-authz-req+jWT
Oauth-AUTHZ-REQ+Jwt
Oauth-authz-REQ+jWt
Oauth-AUTHZ-REQ+jWT
Oauth-authz-Req+JWT
Oauth-Authz-REQ+JWT
Oauth-authz-req+jWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-authz-Req+JWt
Oauth-AUTHZ-Req+Jwt
Oauth-Authz-REQ+jWT
Oauth-Authz-Req+JWt
Oauth-authz-req+jWt
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-Authz-Req+jWt
Oauth-authz-REQ+jWt
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-Req+JWt
Oauth-AUTHZ-Req+Jwt
Oauth-Authz-Req+Jwt
Oauth-Authz-REQ+jWT
Oauth-authz-REQ+Jwt
Oauth-Authz-REQ+jWt
Oauth-authz-REQ+JWT
Oauth-Authz-REQ+jWT
Oauth-authz-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-Authz-Req+jWt
Oauth-AUTHZ-REQ+jWt
Oauth-AUTHZ-Req+jWT
Oauth-authz-REQ+Jwt
Oauth-Authz-Req+jWt
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-Req+jWt
Oauth-AUTHZ-Req+jWt
Oauth-Authz-REQ+jWT
Oauth-authz-REQ+Jwt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+JWt
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-AUTHZ-Req+jWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-Authz-Req+JWt
Oauth-AUTHZ-REQ+jWt
Oauth-authz-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-AUTHZ-REQ+JWt
Oauth-Authz-REQ+JWt
Oauth-Authz-REQ+jWT
Oauth-authz-Req+JWt
Oauth-AUTHZ-Req+jWT
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-Authz-Req+JWt
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-Req+jWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+JWt
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-AUTHZ-REQ+JWt
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+JWt
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+JWt
Oauth-authz-REQ+Jwt
Oauth-authz-REQ+JWt
Oauth-Authz-REQ+jWt
Oauth-authz-REQ+jWt
Oauth-authz-REQ+jWt
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+JWt
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-authz-REQ+jWt
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+jWT
Oauth-authz-REQ+jWt
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+JWt
Oauth-authz-REQ+JWt
Oauth-Authz-REQ+jWt
Oauth-AUTHZ-REQ+jWt
Oauth-AUTHZ-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-authz-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+jWt
Oauth-AUTHZ-REQ+jWT
Oauth-AUTHZ-REQ+jWt
Oauth-AUTHZ-REQ+jWT
Oauth-authz-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+jWT
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-AUTHZ-REQ+JWT
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+JWT
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-authz-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-authz-REQ+JWt
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+JWt
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+JWt
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-authz-REQ+jWT
Oauth-authz-REQ+JWt
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-AUTHZ-REQ+jWT
Oauth-AUTHZ-REQ+jWT
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-AUTHZ-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-authz-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+JWt
Oauth-authz-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-authz-REQ+jWt
Oauth-AUTHZ-REQ+JWT
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+jWT
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+jWT
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+JWt
Oauth-AUTHZ-REQ+jWT
Oauth-AUTHZ-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+JWT
Oauth-Authz-REQ+jWT
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+JWT
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-authz-REQ+Jwt
Oauth-authz-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+jWT
Oauth-authz-REQ+jWT
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+jWt
Oauth-AUTHZ-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+jWT
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-AUTHZ-REQ+Jwt
Oauth-authz-REQ+jWT
Oauth-AUTHZ-REQ+jWt
Oauth-authz-REQ+jWT
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-authz-REQ+jWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+JWT
Oauth-authz-REQ+Jwt
Oauth-Authz-REQ+JWt
Oauth-AUTHZ-REQ+Jwt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+Jwt
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+JWT
Oauth-AUTHZ-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+jWt
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-authz-REQ+JWT
Oauth-Authz-REQ+Jwt
Oauth-authz-REQ+jWt
Oauth-AUTHZ-REQ+jWt
Oauth-AUTHZ-REQ+jWT
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+JWT
Oauth-authz-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+jWT
Oauth-AUTHZ-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-AUTHZ-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+JWT
Oauth-authz-REQ+Jwt
Oauth-authz-REQ+JWT
Oauth-Authz-REQ+JWT
Oauth-authz-REQ+Jwt
Oauth-authz-REQ+JWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+jWT
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+JWT
Oauth-authz-REQ+jWT
Oauth-authz-REQ+Jwt
Oauth-Authz-REQ+jWT
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+JWT
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+JWT
Oauth-authz-REQ+jWT
Oauth-authz-REQ+Jwt
Oauth-Authz-REQ+Jwt
Oauth-authz-REQ+Jwt
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+Jwt
Oauth-Authz-REQ+jWt
Oauth-Authz-REQ+JWT
Oauth-authz-REQ+jWt
Oauth-Authz-REQ+Jwt
appliCATion/oauth-AUTHZ-REQ+jwt
ApplicatioN/OAUTH-AUTHz-REQ+Jwt
APPLICATION/OAuth-AUTHZ-REQ+JWT
And, of course, the exceptionally useful
"typ":"JWT"
should be accepted too.