Hi All, In OAuth JAR specification, client_id is a required query parameter of authorisation call, in both *request* and *request_uri* flows [ https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-23#section-5].
But in OAuth PAR specification, which is a complimentary spec to JAR, it is specified "Clients are encouraged to use the request URI as the only parameter (in the authorisation call) in order to use the integrity and authenticity provided by the pushed authorization request." [ https://tools.ietf.org/html/draft-ietf-oauth-par-01#section-4] Taking into account these both are building upon OAuth spec, which also mandates client_id query param in authorisation call, it seems like PAR is not compatible with OAuth and JAR specs. Is this intentional? If it is may I know the rationale behind this decision? Regards, -- Thiloshon Nagarajah Software Engineer, Financial Solutions WSO2 +94774209947 <http://wso2.com/signature>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
