selfissued
commented
2 weeks ago Federation uses the signed request to do proof of possession of the RP keys. I'll look at the actual wording you're referencing.
Open SECtim opened 2 weeks ago
selfissued
commented
2 weeks ago Federation uses the signed request to do proof of possession of the RP keys. I'll look at the actual wording you're referencing.
In Section 12.1.1.2., the specification describes automatic RP registration using Pushed Authorization Requests.
The first sentence reads "... interoperable way to push a Request Object directly to the AS ...", and Section 12.1.1.2.1. on processing such a request states:
Said Section 12.1.1.1.2 in turn says
So far, this sounds like automatic registration with PAR requires the use of a Request Object.
However, the example request in Figure 47 uses "plain" PAR parameters. Furthermore, Section 12.1.1.2.1. on processing PAR requests lists some client authentication methods and states that OP must use the keys published by RP for the
openid_relying_partyEntity Type. Such client authentication seems to only make sense when NOT using a (signed) Request Object. I.e., it sounds like with PAR, using a Request Object is optional (which is also signaled through the headings of the respective sections: "Using a Request Object" and "Using Pushed Authorization").My best guess is that with PAR, using a Request Object is indeed optional, but as explained above, this remains somewhat unclear to me.