[Openid-specs-ab] Current Summary of Issues

Nat Sakimura sakimura at gmail.com
Tue Jun 8 07:45:43 UTC 2010


Here are the Current Summary of Issues collected on the draft.

1. Error codes in Negative Assertions needs to be defined.

- "invalid code"
- "invalid client_id"
- "invalid secret_type"
- "expired code"

(Currently, it just defines "cancel" per OpenID 2.0)

2. If the "code" in the direct assertion req is invalid, the OP cannot
understand "atype"

opt.1: Make the error to be always JSON
  => Javascript clients may choke
opt.2: Have atype in the request as well.
  => this means we have to define error in other atype like SAML, etc.

>From the point of view of the simplicity, opt.1 looks better to me.

3. Define "id" in the request file.

- I need to understand the semantics. It would be better to have more
descriptive name.

4. Semantics of "issued_at" and "expires_in" needs clarification.

- Are they the same for all of 1) Assertion, 2) Artifact, and 3) Access
Token?
- If not so, is it not better to define all of them?


-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20100608/500f5c45/attachment.html>


More information about the Openid-specs-ab mailing list