Hi all, I am in the process of writing my shepherd write-up for the PAR document and wanted to make sure that I properly understand the document. The introduction says:
" This document [PAR] complements JAR by providing an interoperable way to push the payload of an authorization request directly to the authorization server in exchange for a "request_uri" value usable at the authorization server in a subsequent authorization request. " JAR provides the ability to send Authorization Request parameters in a JWT format protected with JWS and optionally JWE. It allows the JAR to be conveyed by value and by reference but does not define how the client would upload the JAR and how to obtain the reference. PAR defines how the client uploads the request object and how to obtain the reference. It relies primarily on TLS to protect the communication but mentions that it is possible to also use the JWT-based approach suggested by JAR. Both drafts claim to have solved the security issues of protecting the communication through the user agent. Is this a correct summary? Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
