See my reply inline. S pozdravem, *Filip Skokan*
On Thu, 25 Jul 2019 at 19:57, Танги Ле Пенс <tangui.lepense= 40mail...@dmarc.ietf.org> wrote: > In https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-6, it > is stated that an error is to be returned when the object request is > invalid. These errors are "invalid_request_uri" and > "invalid_request_object". > > However, to which redirect URI redirect in the following cases: > * the request object is invalid (eg. invalid signature), should we still > use client_id/redirect_uri of the invalid request object? * the request URI could not be reached > * the request object is encrypted and cannot be decrypted (bad key) > FS: if the client_id & redirect_uri combination is valid (the uri is valid for that client) - yes, its fine to use those (dtto state). this applies to all three > > Would it be acceptable to use the "client_id" and "redirect_uri" request > query parameters in such a case? Although it contradicts the current > specification which states that they shall not be used, and it would > defeat confidentiality when using encryption. > FS: how would it defeat confidentiality? > > Another option is not redirecting and displaying the error message on > the AS, like when the client_id is unknown for instance. > FS: also an acceptable outcome, one with no caveats > > Also I don't get the example in > https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-5.2.2 : > > https://server.example.com/authorize? > response_type=code%20id_token > &client_id=s6BhdRkqt3 > &request_uri=https%3A%2F%2Ftfp.example.org%2Frequest.jwt > %23GkurKxf5T0Y-mnPFCHqWOMiZi4VS138cQO_V7PZHAdM > &state=af0ifjsldkj > > in regards to the following statement in > https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-19#section-5 : > > The client MAY send the parameters included in the request object > duplicated in the query parameters as well for the backward > compatibility etc. However, the authorization server supporting this > specification MUST only use the parameters included in the request > object. > > My understanding is that "response_type", "client_id" and "state" will > be ignored by a JAR-compliant OAuth2 server. Isn't it confusing to add > them to the example? > FS: they will only be ignored IF they are also part of the request object so i believe its fine to have them part of this example. > > Maybe I've missed something? > > Regards, > > -- > Tangui > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth