[Openid-specs-ab] Spec call notes 25-Jul-11

John Bradley ve7jtb at ve7jtb.com
Wed Jul 27 02:05:21 UTC 2011

OK,  So for RP  token is mandatory to implement, and it is in Lite.

For OP Code and Token are mandatory to implement flows,  so they will need to look at the full spec, or at least more than Lite for RP.

John B.
On 2011-07-26, at 9:08 PM, Nat Sakimura wrote:

> I suppose the compliance for RP and IdP differs. 
> We could require RP to support only implicit flow while IdP to support both. 
> =nat
> On Wed, Jul 27, 2011 at 9:39 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> No, I think the conclusion we are coming to is that while it would be nice for everyone to support both.
> A minimal RP only needs the Token flow in Lite .
> Is there any reason a OP wouldn't support the Token (implicit) flow?
> Hoving to support two flows complicates the minimal RP.   
> John B.
> On 2011-07-26, at 12:49 PM, Mike Jones wrote:
>> Per the call yesterday, John and I investigated whether the implicit (token) grant type can be effectively used with native client applications.  The Native Applications section of the OAuth spec makes it clear that it can.  Given that most OAuth interactions today use the implicit grant type, we want to confirm the tentative decision made on the call yesterday to have the implicit grant type be the one required flow in the Lite spec.
>>                                                             -- Mike & John
>> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
>> Sent: Monday, July 25, 2011 4:06 PM
>> To: openid-specs-ab at lists.openid.net
>> Subject: [Openid-specs-ab] Spec call notes 25-Jul-11
>> Spec call notes 25-Jul-11
>> Nat Sakimura
>> Mike Jones
>> John Bradley
>> Edmund Jay
>> Breno de Medeiros
>> Agenda:
>>                Reviewing proposed edits by Breno and Casper Biering
>>                Edits for Lite spec
>>                Feedback from Torsten
>> Reviewing Breno's proposed edits
>>                Other than those we comment on here, we are using the resolutions in Nat's response note
>>                Should indicate the fact that the two flows can be used in combination
>>                when a client consists of different components that both maintain user
>>                signed-in state
>>                               Nat will take a stab at text for this
>>                               John asked whether this should be supported in Lite
>>                                              This should be in "Standard" - not in "Lite"
>>                Related question - do we want code flow in Lite as well as implicit or just implicit?
>>                               We should go with just implicit to keep Lite as simple as possible
>>                Breno's comments about cross-domain post message and HTML5 (starting "- Client sends a request to authorization server -> Client submits"...)
>>                               Somebody (probably Breno) needs to propose normative text for this
>>                               Since it affects interop
>>                               In further discussions, we agreed that we want to mostly refer to OAuth 2 and not do Connect-specific things when possible
>>                                              So post message flow should happen in OAuth 2 - not OpenID Connect
>>                Per Breno's comments about code+token
>>                               We agreed that this doesn't belong in Lite
>>                               (Per OAuth draft 19 & 20, this also becomes "code token")
>>                JWT format will used for id_token, but id_token is not part of Lite
>> Reviewing Caspar's proposed edits
>>                Nat agrees with all of Caspar's proposed edits - Mike to review and check in
>>                We agreed that redirect_uri should be required for now (as it already is)
>> Breno requested that remove the native application text in the session management spec
>>                We're not sure that this is right yet
>>                Code flow needed for Native apps
>>                               We need to investigate this if we're only mandating token flow in Lite
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110726/c0be8678/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110726/c0be8678/attachment-0001.p7s>

More information about the Openid-specs-ab mailing list