Hi Aaron, that’s a very good point. I was also in favour of just providing the client with the URL it needs to send the user to (like XYZ and OAuth do).
In the end, we decided to stay with the current approach since it fits with the rest of the existing ecosystem, namely JAR and authorization endpoint discovery. best regards, Torsten. > On 24. Jul 2020, at 00:49, Aaron Parecki <[email protected]> wrote: > > I know this is a bit of an old thread to dig up, but as I'm working through > this draft again, something is sticking out to me about this. > > In every other instance of "*_uri" in OAuth and extensions, the value is a > URI (usually https) which will be visited by the user's browser or be sent a > POST request from a client. In the case of PAR, this "request_uri" is > actually just an identifier that is *added* to an existing URL, the > authorization endpoint, not a URL that will be visited itself. This > discrepancy is bothering me. > > I would have expected that either: > > * The PAR response includes a "request_uri" which is the full URL that the > client would redirect the user's browser to, OR > * The PAR response includes a "request_id" which it adds in the query string > to the authorization endpoint and then redirects the browser to > > For example: > > POST /as/par HTTP/1.1 > ... > response: > { > "request_uri": > "https://as.example.com/auth?request=bwc4JK-ESC0w8acc191e-Y1LTC2";, > "expires_in": 60 > } > > then the user's browser is sent to whatever the value of "request_uri" is > > OR > > POST /as/par HTTP/1..1 > ... > response: > { > "request_id": > "urn:ietf:params:oauth:request_uri:bwc4JK-ESC0w8acc191e-Y1LTC2", > "expires_in": 60 > } > > then the "request_id" is added to the authorization endpoint (as currently > described by PAR) > > https://as.example.com/auth?client_id=s6BhdRkqt3&request_uri=urn%3Aietf%3Aparams%3Aoauth%3Arequest_uri%3Abwc4JK-ESC0w8acc191e-Y1LTC2 > > My personal preference is the first option, keeping the term "request_uri" > but having it actually be the full URI, to simplify the job of the client. In > that model, the client doesn't have to mess with building URLs, and actually > provides additional flexibility for the AS as well since that endpoint no > longer needs to be the exact same URL as the authorization endpoint.. > > --- > Aaron Parecki > https://aaronparecki.com > > > On Thu, Jan 16, 2020 at 8:25 AM Torsten Lodderstedt > <[email protected]> wrote: > I just thought about another option. What if we change PAR to not use the > request_uri parameter but a new parameter, e.g. request_id? > > That would decouple both specs. The reason why we use request_uri was to make > the life of clients easier since they can use the standard library function > for request objects to pass the PAR reference to the AS. Is this worth the > trouble? > >> Am 16.01.2020 um 16:48 schrieb Justin Richer <[email protected]>: >> >> +1 to this approach, and it sounds like JAR might need to come back to go >> through another round anyway thanks to the breaking changes the IESG pushed >> into it after it left WGLC. >> >> I’d rather see us get this right than publish something many of us think is >> broken. >> >> Maybe PAR and JAR (and JARM?) end up going out as a bundle of specs. >> >> — Justin >> >>> > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
