Question
The response of OIDC endpoint GET /.well-known/openid-configuration HTTP/1.1
provides information about different API URIs such as authorise
, token
, and introspection
. Some of the URIs like /authorise
require request parameters to be passed by the ADR.
- How does an Accredited Data Recipient (ADR) know what additional parameters to pass to the authorise endpoint?
- Can a Data Holder (DH) add custom parameters in the request, in addition to the standard parameters such as
client_id
,response_type?
Answer
The specification of the authorisation endpoint is deferred to the normative standard unless otherwise specified. The ADR should follow the specification and add parameters according to the Consumer Data Standard specification requirements, and the underlying specifications to which it refers, such as FAPI, OpenID Connect and OAuth 2.0.
See:
- CDS Authentication flows
- OIDC
- OpenID Connect Discovery Provider Configuration Request
- OAuth 2.0
- FAPI
The Data Holders are required to accept requests that are compliant with the standards and cannot add extra requirements to pass extra parameters.
If by custom parameters, you mean for example:
"authorization_endpoint" : "http://www DH.com.au/authorise?foo=bar"
yes, this is allowed by OAuth 2.0 section 3.1
See:
Comments
0 comments
Please sign in to leave a comment.