RFC Errata
RFC 9126, "OAuth 2.0 Pushed Authorization Requests", September 2021
Source of RFC: oauth (sec)
Errata ID: 6711
Status: Reported
Type: Technical
Publication Format(s) : TEXT, PDF, HTML
Reported By: Brian Campbell
Date Reported: 2021-10-15
Section 3. says:
Clients MAY use the "request" parameter as defined in JAR [RFC9101] to push a Request Object JWT to the authorization server. The rules for processing, signing, and encryption of the Request Object as defined in JAR [RFC9101] apply. Request parameters required by a given client authentication method are included in the "application/ x-www-form-urlencoded" request directly and are the only parameters other than "request" in the form body (e.g., mutual TLS client authentication [RFC8705] uses the "client_id" HTTP request parameter, while JWT assertion-based client authentication [RFC7523] uses "client_assertion" and "client_assertion_type"). All other request parameters, i.e., those pertaining to the authorization request itself, MUST appear as claims of the JWT representing the authorization request.
It should say:
Clients MAY use the request and client_id parameters as defined in JAR [RFC9101] to push a Request Object JWT to the authorization server. The rules for processing, signing, and encryption of the Request Object as defined in JAR [RFC9101] apply. Request parameters required by a given client authentication method are included in the application/x-www-form-urlencoded request directly and are the only parameters other than request and client_id in the form body (e.g., JWT assertion-based client authentication [RFC7523] uses "client_assertion" and "client_assertion_type") HTTP request parameters). All authorization request parameters, i.e., those pertaining to the authorization request itself, MUST appear as claims of the JWT representing the authorization request.
Notes:
That first paragraph of Sec 3 was not properly updated to come inline with JAR (now RFC9101) when it changed in draft -21 to require "client_id" in the authorization request in addition to in addition to "request" or "request_uri" - so is somewhat ambiguous in maybe suggesting that "client_id" isn't required. But it is required based on how PAR works and RFC9101 requiring "client_id".