Is client authentication on the PAR endpoint allowed with the JAR request object #72
Comments
|
This was the case with the preceding FAPI WG work. We have removed that option to keep the number of knobs down to a minimum. |
Just for clarification, you're saying that "yes it is allowed"? Thx. |
|
I'm saying that, no, it isn't allowed to omit client authentication on the account of using a signed request object. We had that as an option in an early draft and removed it. |
|
Ok, thanks for the clarification! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hmm, sorry for the long subject line, but I guess that's why whole question: On the PAR endpoint, can the JAR request object signature be used for client authentication in lieu of other client authentication parameters (e.g. private key JWT)?
I'd wonder if the answer is "no" because there might be some replay style attack with request objects obtained when used as parameters to the authorize endpoint from other client requests. As I was re-reading section 3 this was one of the first thoughts that popped into my head.
It might be good to have a clarification somewhere. TIA
The text was updated successfully, but these errors were encountered: