-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider using application/json
rather than application/x-www-form-urlencoded
in the id_assertion_endpoint
#644
Comments
@samuelgoto I believe the registered JSON content-type would be |
As is often the case, @panva is correct*. * my assessment of correctness is based on my own research at https://www.iana.org/assignments/media-types/media-types.xhtml |
text/json
rather than application/x-www-form-urlencoded
in the id_assertion_endpoint
application/json
rather than application/x-www-form-urlencoded
in the id_assertion_endpoint
For completeness, I'll copy the response from @cbiesinger
I believe @gffletch mentioned OIDC - Passing Request Parameters as JWTs, where the Request Object is compatible with OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request. Looking at OAuth 2.0 Pushed Authorization Requests the POST also uses The expired OAuth 2.0 JSON Request draft also seems to confirm that. This issue could be resolved by simply leaving the request as It might be worth looking at the OIDC Request Object, JAR, and PAR usage of JWT compared to the simple JSON string proposed in w3c-fedid/custom-requests#2. Any potential discussion would probably belong to that issue. |
This was discussed during the meeting reviewing #661 |
Forking something orthogonal from this thread w3c-fedid/custom-requests#2 so that we can look in isolation, rather than in conjunction with the original issue
The text was updated successfully, but these errors were encountered: