RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 9126, "OAuth 2.0 Pushed Authorization Requests", September 2021

Source of RFC: oauth (sec)

Errata ID: 6711
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML

Reported By: Brian Campbell
Date Reported: 2021-10-15

Section 3. says:

   Clients MAY use the "request" parameter as defined in JAR [RFC9101]
   to push a Request Object JWT to the authorization server.  The rules
   for processing, signing, and encryption of the Request Object as
   defined in JAR [RFC9101] apply.  Request parameters required by a
   given client authentication method are included in the "application/
   x-www-form-urlencoded" request directly and are the only parameters
   other than "request" in the form body (e.g., mutual TLS client
   authentication [RFC8705] uses the "client_id" HTTP request parameter,
   while JWT assertion-based client authentication [RFC7523] uses
   "client_assertion" and "client_assertion_type").  All other request
   parameters, i.e., those pertaining to the authorization request
   itself, MUST appear as claims of the JWT representing the
   authorization request.

It should say:

  Clients MAY use the request and client_id parameters as defined in 
  JAR [RFC9101] to push a Request Object JWT to the authorization 
  server. The rules for processing, signing, and encryption of the 
  Request Object as defined in JAR [RFC9101] apply. Request parameters
  required by a given client authentication method are included in the
  application/x-www-form-urlencoded request directly and are the only 
  parameters other than request and client_id in the form body (e.g.,
  JWT assertion-based client authentication [RFC7523] uses 
  "client_assertion" and "client_assertion_type") HTTP request
  parameters). All authorization request parameters, i.e., those 
  pertaining to the authorization request itself, MUST appear as
  claims of the JWT representing the authorization request.

Notes:

That first paragraph of Sec 3 was not properly updated to come inline with JAR (now RFC9101) when it changed in draft -21 to require "client_id" in the authorization request in addition to in addition to "request" or "request_uri" - so is somewhat ambiguous in maybe suggesting that "client_id" isn't required. But it is required based on how PAR works and RFC9101 requiring "client_id".

Report New Errata