Need create request_uri endpoint in AS

Issue #87 closed
Nat Sakimura created an issue

FAPI Part 2 should have an optional endpoint to create the request object at the AS and gets the request_uri.

Comments (12)

  1. Nat Sakimura reporter

    So, it would be a simple URI at AS to which the client can POST the request object and gets the following back with 200 OK.

    200 OK
    content-type: application/json
    
    {
        "request_uri":"https:as.example.com/requests/af9dnpqgysEfjslIwwlSq"
    }
    

    For errors, we probably need invalid_object. Would that be enough?

  2. Nat Sakimura reporter

    I decided to put some other claims like iss and aud and pushed the change to the repo.

    Now, I have some additional idea around it. Since we are now pushing the request object to the AS, the AS knows which client certs is to be used for the transaction. Thus, code can actually be bound to the client certs so that all the tokens generated by the AS are actually sender constrained. I will create an additional ticket for this.

  3. Nat Sakimura reporter

    No, we do not have to have the client authentication to POST the request object. This is because the request object is signed using asymmetric crypto.

    If we allow other algorithms, then we need to make it "shall" but since we are not it is not needed.

  4. Log in to comment