-
Notifications
You must be signed in to change notification settings - Fork 1.3k
JARM (JWT Secured Authorization Response Mode) #208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
The Warning section in the JARM draft states:
Based on this, I'm reluctant to implement this. It also seems quite early in the review phase. However, I do see value in providing an extension point that would allow an Authorization Server implementation to customize the Authorization response parameters using JARM or |
In spite of the excerpted sentence, the specification itself is stable. JARM is mentioned in the Financial-grade API (FAPI) specification. Authorization servers that support FAPI Part 2 must support JARM or be able to issue an ID token from the authorization endpoint. |
@TakahikoKawasaki As an FYI - so you're more familiar with our development process - new feature development starts off with a closed API and we incrementally open it up when it becomes more stable and requires end-consumer customization. Hence, the reason why you cannot customize the Authorization Request or Response at the moment. #139 captures end-consumer customization requirements at a high-level for consolidating into one ticket. From there, I will open a new ticket with details related to one of the feature requirements when it's time to "open up". I'm aware that customizing the Authorization Request/Response and Token Request/Response is an MVP requirement. These extension points will allow Authorization Server implementations to implement JARM, |
Given that JARM is not needed in FAPI 2.0 (see Main Differences to FAPI 1.0), we might not implement this capability.
|
JARM (JWT Secured Authorization Response Mode) support.
JARM (
response_mode=*.jwt
) has a considerably big impact on authorization server implementations. It is recommended that the feature be designed and implemented from the beginning.The text was updated successfully, but these errors were encountered: