[Openid-specs-ab] UserInfo endpoint comments

George Fletcher gffletch at aol.com
Tue Jun 28 17:06:28 UTC 2011


I noticed that the user info endpoint requires the token to be passed in 
the access_token parameter. Is there a reason this endpoint isn't a full 
OAuth2 endpoing? Should the endpoint allow the access_token to be 
specified in the HTTP Authorization header? The spec currently doesn't 
define error responses, etc. I think it would be valuable to just say 
the endpoint is an OAuth2 compatible endpoint and we can then leverage 
all the error flows from the OAuth2 spec.

I'm also assuming that the user info endpoint allows both GET and POST 
but only over SSL. It might be good clarify that as well.


Chief Architect                   AIM:  gffletch
Identity Services Engineering     Work: george.fletcher at teamaol.com
AOL Inc.                          Home: gffletch at aol.com
Mobile: +1-703-462-3494           Blog: http://practicalid.blogspot.com
Office: +1-703-265-2544           Twitter: http://twitter.com/gffletch

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110628/b8fe53c6/attachment.html>

More information about the Openid-specs-ab mailing list