JARM (JWT Secured Authorization Response Mode) #208
Comments
|
The Warning section in the JARM draft states:
Based on this, I'm reluctant to implement this. It also seems quite early in the review phase. However, I do see value in providing an extension point that would allow an Authorization Server implementation to customize the Authorization response parameters using JARM or |
|
In spite of the excerpted sentence, the specification itself is stable. JARM is mentioned in the Financial-grade API (FAPI) specification. Authorization servers that support FAPI Part 2 must support JARM or be able to issue an ID token from the authorization endpoint. |
|
@TakahikoKawasaki As an FYI - so you're more familiar with our development process - new feature development starts off with a closed API and we incrementally open it up when it becomes more stable and requires end-consumer customization. Hence, the reason why you cannot customize the Authorization Request or Response at the moment. #139 captures end-consumer customization requirements at a high-level for consolidating into one ticket. From there, I will open a new ticket with details related to one of the feature requirements when it's time to "open up". I'm aware that customizing the Authorization Request/Response and Token Request/Response is an MVP requirement. These extension points will allow Authorization Server implementations to implement JARM, |
|
Given that JARM is not needed in FAPI 2.0 (see Main Differences to FAPI 1.0), we might not implement this capability.
|
JARM (JWT Secured Authorization Response Mode) support.
JARM (
response_mode=*.jwt) has a considerably big impact on authorization server implementations. It is recommended that the feature be designed and implemented from the beginning.The text was updated successfully, but these errors were encountered: