Support for authorization header when no push auth defined #301
Description
6.1.1. Push Delivery using HTTP says that
authorization_header
If the endpoint_url requires authorization, the receiver SHOULD provide this authorization header in the stream creation/updation. If present, the Transmitter MUST provide this value with every HTTP request to the endpoint_url.
How should receiver handle push delivery requests with an authorization header, if the stream config does not define a push authorization header?
How to deal with the case that a stream explicitly does not define an push authorization header but the transmitter sends an Authorization header anyways?
If we receive an authorization header for push endpoint requests, without specifying one, this might indicate a configuration issue on either the transmitter or receiver side.
Should a receiver ignore the authroization header and accept the request, or should the receiver reject the request?
In the latest version of the OIDF conformance suite, we have a new test (openid-ssf-transmitter-push-no-auth) which explicitly uses NO push authorization header and fails the (new) test (openid-ssf-transmitter-push-no-auth), if the transmitter sends a request with an authorization header.