[Openid-specs-ab] Spec call notes 25-Jul-11

Nat Sakimura sakimura at gmail.com
Wed Jul 27 01:08:16 UTC 2011


I suppose the compliance for RP and IdP differs.

We could require RP to support only implicit flow while IdP to support
both.

=nat

On Wed, Jul 27, 2011 at 9:39 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> No, I think the conclusion we are coming to is that while it would be nice
> for everyone to support both.
>
> A minimal RP only needs the Token flow in Lite .
>
> Is there any reason a OP wouldn't support the Token (implicit) flow?
>
> Hoving to support two flows complicates the minimal RP.
>
> John B.
> On 2011-07-26, at 12:49 PM, Mike Jones wrote:
>
> Per the call yesterday, John and I investigated whether the implicit
> (token) grant type can be effectively used with native client applications.
> The Native Applications section<http://tools.ietf.org/html/draft-ietf-oauth-v2-20#section-9>
>  of the OAuth spec makes it clear that it can.  Given that most OAuth
> interactions today use the implicit grant type, we want to confirm the
> tentative decision made on the call yesterday to have the implicit grant
> type be the one required flow in the Lite spec.****
> ** **
>                                                             -- Mike & John
> ****
> ** **
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Mike Jones
> *Sent:* Monday, July 25, 2011 4:06 PM
> *To:* openid-specs-ab at lists.openid.net
> *Subject:* [Openid-specs-ab] Spec call notes 25-Jul-11****
> ** **
> Spec call notes 25-Jul-11****
> ** **
> Nat Sakimura****
> Mike Jones****
> John Bradley****
> Edmund Jay****
> Breno de Medeiros****
> ** **
> Agenda:****
>                Reviewing proposed edits by Breno and Casper Biering****
>                Edits for Lite spec****
>                Feedback from Torsten****
> ** **
> Reviewing Breno's proposed edits****
>                Other than those we comment on here, we are using the
> resolutions in Nat's response note****
>                Should indicate the fact that the two flows can be used in
> combination****
>                when a client consists of different components that both
> maintain user****
>                signed-in state****
>                               Nat will take a stab at text for this****
>                               John asked whether this should be supported
> in Lite****
>                                              This should be in "Standard" -
> not in "Lite"****
>                Related question - do we want code flow in Lite as well as
> implicit or just implicit?****
>                               We should go with just implicit to keep Lite
> as simple as possible****
> ** **
>                Breno's comments about cross-domain post message and HTML5
> (starting "- Client sends a request to authorization server -> Client
> submits"...)****
>                               Somebody (probably Breno) needs to propose
> normative text for this****
>                               Since it affects interop****
>                               In further discussions, we agreed that we
> want to mostly refer to OAuth 2 and not do Connect-specific things when
> possible****
>                                              So post message flow should
> happen in OAuth 2 - not OpenID Connect****
> ** **
>                Per Breno's comments about code+token****
>                               We agreed that this doesn't belong in Lite**
> **
>                               (Per OAuth draft 19 & 20, this also becomes
> "code token")****
> ** **
> ** **
>                JWT format will used for id_token, but id_token is not part
> of Lite****
> ** **
> Reviewing Caspar's proposed edits****
>                Nat agrees with all of Caspar's proposed edits - Mike to
> review and check in****
>                We agreed that redirect_uri should be required for now (as
> it already is)****
> ** **
> Breno requested that remove the native application text in the session
> management spec****
>                We're not sure that this is right yet****
>                Code flow needed for Native apps****
>                               We need to investigate this if we're only
> mandating token flow in Lite****
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110727/ad5200ed/attachment.html>


More information about the Openid-specs-ab mailing list