[Openid-specs-ab] Spec call notes 15-Aug-11

Edmund Jay ejay at mgi1.com
Wed Aug 17 04:57:33 UTC 2011

Spec call notes 05-Aug-11

John Bradley
Nat Sakimura
Johnny Bufu
Edmund Jay
Tony Nadalin

John received some feedback regarding the OpenID Connect Lite spec.
    Feedback from Allen :
        * Consider removing id_token from Lite spec since it mentions that RP wanting to process process id_tokens should consider full spec. 
               ID Token will remain in Lite spec with better explanation and examples.
        * Is scopes a comma separated list?  
               NO, its space separated list, according to OAuth 2.0 specs.
        * Section 3.2.1, Allen asks for more example values from scope, display, and prompt parameters in authorization request.
               These parameters need better documentation. Discussed whether these should be defined in OpenID Connect specs or in a separate OAuth extension spec.
               Tony said these values need to be registered in IANA OAuth Registry. Tony to look into process of the specifics of registering values.
        * Section 3.2 and should make it clear that implicit flow tokens are returned in fragment of URL
        * Allen made some suggestions of using small, medium (bigger), and large values for resolution and aspect ratios of profile pictures. Pointed to examples from
           Twitter and Facebook.
                 Allen should write a detailed explanation for values?

    Additional feedback from George Fletcher which was received shortly prior to call.
      John to address the feedback in list.

Johnny proposes to changing Lite spec to Lite Client spec.
    John said that Lite spec already mentions that only clients should read Lite spec. Providers should refer to Full spec.
    Name changes will require SVN access which John does not have.
   Will solicit feedback on list for definite name before changing.

Johnny would like a more detailed, high level explanation on differences between access tokens and ID tokens.
    Access tokens are used for protected resources and can have different expiration times.
    ID tokens only provide claims for the authentication session and is only valid for the session.
   John to provide paragraphs in Lite spec.

Nat created Issues Tracker at http://hg.openid.net/connect/issues/
People are encouraged to submit issues there.

More information about the Openid-specs-ab mailing list