Need create request_uri endpoint in AS
FAPI Part 2 should have an optional endpoint to create the request object at the AS and gets the request_uri.
Comments (12)
-
-
reporter So, it would be a simple URI at AS to which the client can POST the request object and gets the following back with 200 OK.
200 OK content-type: application/json { "request_uri":"https:as.example.com/requests/af9dnpqgysEfjslIwwlSq" }
For errors, we probably need
invalid_object
. Would that be enough? -
reporter Dave pointed out that returning expiry time with it would be good.
-
reporter Re:
#87added ros ep. Error needs improvements.→ <<cset 48a335eb10e7>>
-
reporter I decided to put some other claims like
iss
andaud
and pushed the change to the repo.Now, I have some additional idea around it. Since we are now pushing the request object to the AS, the AS knows which client certs is to be used for the transaction. Thus,
code
can actually be bound to the client certs so that all the tokens generated by the AS are actually sender constrained. I will create an additional ticket for this. -
@Nat I've added a pull request to adjust the wording: https://bitbucket.org/openid/fapi/pull-requests/22/improvements-to-request-object-section/diff
I have a question - should we require client authentication like jwsreq:
Server MUST perform Client Authentication to accept the Request Object
-
reporter No, we do not have to have the client authentication to POST the request object. This is because the request object is signed using asymmetric crypto.
If we allow other algorithms, then we need to make it "shall" but since we are not it is not needed.
-
OK, sounds good, I think we can close this.
-
reporter - changed status to closed
-
reporter - changed component to Part 2: Advanced
-
reporter - changed component to FAPI 1 – Part 2: Advanced
-
reporter - changed component to FAPI 1: Advanced
- Log in to comment
Agreed - this would be a great addition.