Require typ in request objects #355
Conversation
jogu
force-pushed
the
typ-in-request-obj
branch
from
dc190ff to
d263e13
Compare
There was a problem hiding this comment.
this is a text from RFC9101, which is much more relaxed than the current PR text. I understand that mandating oauth-authz-req+jwt helps with the interop, but I think we need to discuss implications on the implementations. For example, I am aware of the implementations that use jwt as a typ value.
Another way to prevent cross-JWT confusion is to use explicit typing, as described in Section 3.11 of [RFC8725]. One would explicitly type a Request Object by including a typ Header Parameter with the value oauth-authz-req+jwt (which is registered in Section 9.4.1). Note, however, that requiring explicitly typed Request Objects at existing authorization servers will break most existing deployments, as existing clients are already commonly using untyped Request Objects, especially with OpenID Connect [OpenID.Core]. However, requiring explicit typing would be a good idea for new OAuth deployment profiles where compatibility with existing deployments is not a consideration
|
That text in RFC9101 was there to not breaking existing OpenID Connect implementations (from what I remember the OAuth WG weren't keen to allow that exception) - as I mentioned on the issue no one can use an existing OpenID Connect implementation to request credentials, and we already have other breaking changes happening (E.g. around DCQL) there doesn't seem to be any large issue with following the JWT BCP and doing explicit required typing, and hence requiring implementations to update. |
Co-authored-by: Paul Bastian <paul.bastian@posteo.de>
closes #268