[OAUTH-WG] client_id in PAR and JAR
Thiloshon Nagarajah <thiloshon@wso2.com> Tue, 30 June 2020 07:25 UTC
Return-Path: <thiloshon@wso2.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 437703A0D91 for <oauth@ietfa.amsl.com>; Tue, 30 Jun 2020 00:25:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.606
X-Spam-Level:
X-Spam-Status: No, score=0.606 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, GB_FINANCIALSOLUTION=1, HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001, HTML_SHORT_LINK_IMG_3=0.148, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=wso2.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pc7We2Bnm0PV for <oauth@ietfa.amsl.com>; Tue, 30 Jun 2020 00:25:27 -0700 (PDT)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB5AF3A0B45 for <oauth@ietf.org>; Tue, 30 Jun 2020 00:25:26 -0700 (PDT)
Received: by mail-yb1-xb2b.google.com with SMTP id d13so9609202ybk.8 for <oauth@ietf.org>; Tue, 30 Jun 2020 00:25:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wso2.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=ldz/q4rpIuyolwS/HimEYNdluIZSVwU43cNVDL8+spM=; b=aLUBo7AqsbjbjUx/fGHS4YV+QBHGL5ePAxLZQ2b8R/a0snJ9unqbFlxpxN7+rHPeMy /jZjKmIT0/d3y2NBVlsQjtZicZv/f5kotjZJkoHC2x8BeUEqtNLP+MeQAm2vXAeoMrjZ QRXpHH+cZzN/XWKb5JkOJMxiyopK/b1p32ooI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ldz/q4rpIuyolwS/HimEYNdluIZSVwU43cNVDL8+spM=; b=swD4jAqwI+urBRfWuJ6a1Qeocr1jbAISdiGmn4DeOu3XDvswXN5iOUd7IsjHhzgriI CiecK3uQLavz4A24vwVPQ9ogtyIN6vgJaRErdkFclQ97ORRjQ3g5nSnsH1WZ+o1MyVJe TKAOybXG+WgvVvm41ZHSo8oGr/BZUE7Cm6vxfFRbindwLPkJWoKv+iNtsTnN+PIYnm4C DuAXOUPZEoK9g0vEEukkKaUStq65DNMtb57d4wpt2k5txD/cMf34CRZ1XY5hMl5smcNI 8a2yDyJ4UgDJvOvLFClVIclpVcL22phGCx3o/xyj8JZnso0jNZPr6EFlqZWyTDznYtsZ yslA==
X-Gm-Message-State: AOAM530j87qrE8CDqaWkYhOAY/Byrjj6NutZxi4/i3Zb8oOa7/CFR8Vx pXSKdSYyJfG3Hhu2LJABGZx7w4s2ho+iZa8S8Hgr29sWj5A=
X-Google-Smtp-Source: ABdhPJwlrQVRVchLEmzIQDOu2jARS9dHI5hD4uq91rTOulVLpY5XFxTURASeLNum31B2x8aULGHN7ieG5RBpQLx5uIA=
X-Received: by 2002:a25:1941:: with SMTP id 62mr35408698ybz.16.1593501925379; Tue, 30 Jun 2020 00:25:25 -0700 (PDT)
MIME-Version: 1.0
From: Thiloshon Nagarajah <thiloshon@wso2.com>
Date: Tue, 30 Jun 2020 12:55:14 +0530
Message-ID: <CAGObXPnr5tG6NXmhgOv_iKpjk+piXDiR+ZBse0ZYEuk1=3tRVQ@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000362c2205a94814b5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ntTZXCsnlaNMG11m-PsHw4vunFs>
Subject: [OAUTH-WG] client_id in PAR and JAR
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 07:25:28 -0000
Hi All, In OAuth JAR specification, client_id is a required query parameter of authorisation call, in both *request* and *request_uri* flows [ https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-23#section-5]. But in OAuth PAR specification, which is a complimentary spec to JAR, it is specified "Clients are encouraged to use the request URI as the only parameter (in the authorisation call) in order to use the integrity and authenticity provided by the pushed authorization request." [ https://tools.ietf.org/html/draft-ietf-oauth-par-01#section-4] Taking into account these both are building upon OAuth spec, which also mandates client_id query param in authorisation call, it seems like PAR is not compatible with OAuth and JAR specs. Is this intentional? If it is may I know the rationale behind this decision? Regards, -- Thiloshon Nagarajah Software Engineer, Financial Solutions WSO2 +94774209947 <http://wso2.com/signature>
- [OAUTH-WG] client_id in PAR and JAR Thiloshon Nagarajah
- Re: [OAUTH-WG] client_id in PAR and JAR Filip Skokan
- Re: [OAUTH-WG] client_id in PAR and JAR Thiloshon Nagarajah
- Re: [OAUTH-WG] client_id in PAR and JAR Filip Skokan
- Re: [OAUTH-WG] client_id in PAR and JAR Thiloshon Nagarajah