subject:"\[OAUTH\-WG\] How to deal with multi\-valued request parameters in a JAR \(draft\-ietf\-oauth\-jwsreq\-17\)\?"

Re: [OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

2019-04-29 Thread Brian Campbell

Errata 5708 has been reported attempting to clarify the situation. https://www.rfc-editor.org/errata/eid5708 On Mon, Apr 22, 2019 at 9:53 AM Thomas Broyer wrote: > And the root issue is that it *is* subject to interpretation. > > Parameters sent without a value MUST be treated as if they were >

Re: [OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

2019-04-22 Thread Thomas Broyer

And the root issue is that it *is* subject to interpretation. Parameters sent without a value MUST be treated as if they were omitted from the request. The authorization server MUST ignore unrecognized request parameters. Request and response parameters MUST NOT be included more than on

Re: [OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

2019-04-22 Thread Brian Campbell

My interpretation of RFC6749's “Request and response parameters MUST NOT be included more than once" is that it is applicable only to the parameters defined therein. Which (conveniently but defensibly) allows for extensions like resource indicators and token exchange to have multiple instances of a

Re: [OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

2019-04-22 Thread Thomas Broyer

RFC6749 makes it clear that “Request and response parameters MUST NOT be included more than once.” So: * multi-valued request params shouldn't exist ("scope" is a single string value with a specific format, as a space-separated list of scopes) * resource indicators draft violates RFC6749 by expli

Re: [OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

2019-04-22 Thread Brian Campbell

FWIW, the second paragraph of resource indicators, section 2.1 says to use a JSON array via the following text: For authorization requests sent as a JWTs, such as when using JWT Secured Authorization Request [I

[OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

2019-04-22 Thread Vladimir Dzhuvinov

https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-17#section-4 How should multi-valued request params be expressed in the JWT claims set? As values in a JSON array? { "iss": "s6BhdRkqt3", "aud": "https://server.example.com";, "response_type": "code id_token", "clien

Re: [OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

Re: [OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

Re: [OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

Re: [OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

Re: [OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

[OAUTH-WG] How to deal with multi-valued request parameters in a JAR (draft-ietf-oauth-jwsreq-17)?

6 matches

Site Navigation

Mail list logo

Footer information