Hi Thiloshon,

Not quite the way it went down but we have this adressed in a future PAR draft. 

Thank you ;)

Filip

Odesláno z iPhonu

> 30. 6. 2020 v 9:25, Thiloshon Nagarajah 
> <thiloshon=40wso2....@dmarc.ietf..org>:
> 
> ´╗┐
> Hi All,
> 
> In OAuth JAR specification, client_id is a required query parameter of 
> authorisation call, in both request and request_uri flows 
> [https://tools.ietf.org/html/draft-ietf-oauth-jwsreq-23#section-5].
> 
> But in OAuth PAR specification, which is a complimentary spec to JAR, it is 
> specified "Clients are encouraged to use the request URI as the only 
> parameter (in the authorisation call) in order to use the integrity and 
> authenticity provided by the pushed authorization request." 
> [https://tools.ietf.org/html/draft-ietf-oauth-par-01#section-4]
> 
> Taking into account these both are building upon OAuth spec, which also 
> mandates client_id query param in authorisation call, it seems like PAR is 
> not compatible with OAuth and JAR specs. 
> 
> Is this intentional? If it is may I know the rationale behind this decision? 
> 
> Regards,
> -- 
> Thiloshon Nagarajah
> Software Engineer,
> Financial Solutions
> WSO2
> +94774209947
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to