types of several values in Authentication Request not defined

[bitbucket-import-issues]

Originally submitted by josephheenan (Joseph Heenan) on 2022-09-12

In this section:

https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.7.1

The types for several values seem to be left unstated. This probably doesn’t matter too much in unsigned requests, but does matter in signed requests.

For example, login_hint is presumably intended to be a string value. (The draft Brazil CIBA spec appears to define it as a JSON object instead.)

---

Bitbucket status: new

Bitbucket origin: issue 208

[bitbucket-import-issues]

Originally submitted by Brian Campbell (Brian Campbell) on 2022-09-12

Admittedly it’s not spec'd out in the best way but the next section 7.1.1. Signed Authentication Request makes it pretty clear that login_hint would be a string.

https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html#rfc.section.7.1.1

A signed authentication request is made by encoding all of the authentication request parameters as claims of a signed JWT with each parameter name as the claim name and its value as a JSON string. An exception to this is requested_expiry, which may be sent as either a JSON string or a JSON number, the OP must accept either type. An extension or profile may define additional authentication request parameters, these may be defined to be any JSON type.

‌

[bitbucket-import-issues]

Originally submitted by josephheenan (Joseph Heenan) on 2022-09-13

Ahhh. Thanks Brian. I completely missed that part when I was trying to figure this out. That makes the behaviour very clear, thanks. As you hint at it might be good to have It clearer in the previous section perhaps, perhaps we can consider that if there’s an errata version.