[Openid-specs-ab] Redirect URL or URI?

Mike Jones Michael.Jones at microsoft.com
Thu Jul 28 23:39:07 UTC 2011


Another question from the call:  Is there some circumstance in which the redirect URL can actually be an URN, rather than a URL?  In that case, Casper's proposed change of redirect_url to redirect_uri would make sense.  But if it can only be a URL, it doesn't.  (Yes, OAuth called it a URI, but in the OpenID specs, we've tried to be consistent in naming things that can only be URLs URL, versus things that can be URNs URIs.)

                                                            Thanks again,
                                                            -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
Sent: Thursday, July 28, 2011 3:53 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Spec call notes 28-Jul-11

Spec call notes 28-Jul-11

Mike Jones
John Bradley
Edmund Jay
Nat Sakimura
Johnny Bufu

Agenda:
               Specific questions about spec features
                              audience parameter in request
                              nonce parameter in request
                              req -> request in OAuth request
                              Can a redirect_url be a redirect URI?
               Editing updates
               IPR Contribution Agreements

audience parameter in request
               A bad RP could put in someone else's audience
               Do we not pass it and have audience constructed out of return_to?
               Edmund thought this had to do with input from Breno about native clients
               We don't have enough information to use it properly - will remove unless clarified

nonce parameter in request
               Should RP supply a nonce or just request that a nonce be used?
               John asked what the difference between nonce and state is
               Edmund thought that this was something specific to Facebook
               Nat pointed out that we haven't said anything about processing rules for the nonce
                              Other than that the value is returned in id_token
                              No rule about verifying nonce, at present
               John will look at the Facebook documentation and investigate their usage
               If not required for the Lite spec, it should probably be removed there

req -> request in OAuth HTTP request
               We agreed to make this change

Can a redirect_url be a redirect URI?
               We think no
               This is separate from the js_origin_url
                              (The js_origin_url may not use an http scheme, but is still a redirect target)
               Nat wondered whether he wanted to change the name just to be closer to OAuth

Editing updates
               Mike has reviewed Casper's edits and is ready to check them in, modulo the discussions above
               John has the Lite spec down to about 15 pages including Security Considerations
                              This includes id_token
                              Without security considerations and references is 10 pages, including 1.5 pages of index
                              Or roughly 8 pages of spec material
               John reverted the text to use the name "Introspection Endpoint"
               John asked whether we should copy the relevant portions of the Discovery spec into Lite
                              We agreed no, saying that Discovery is optional and could be replaced by manual configuration

               Besides producing Lite, we also need to produce:
                              Standard
                              Messages (Core and Framework)
               Already have:
                              Discovery
                              Registration
                              Session Management

               Lite is pared down to the world view of an RP
                              Compliance for IdPs may be different for IdPs than for RPs
                              IdPs should support code and token flows but RPs can just support token
                              Say this in a conformance section in Standard

IPR Contribution Agreements
               Nat will review the list archives and produce a list of people we need IPR agreements from
               We should not go to an implementer's draft until we have the appropriate agreements in place
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110728/a3f22466/attachment.html>


More information about the Openid-specs-ab mailing list