[Openid-specs-ab] Lite Draft 8

Anthony Nadalin tonynad at microsoft.com
Wed Aug 17 17:28:57 UTC 2011

So why would you have to give back all the information? You get back all or any portion that you are authorized to access

From: John Bradley [mailto:ve7jtb at ve7jtb.com]
Sent: Tuesday, August 16, 2011 4:41 PM
To: Anthony Nadalin
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Lite Draft 8

>From a privacy point of view giving all of the information in the user-info endpoint all the time with only a single scope is not ideal.
Mike wanted to do that but have additional negative scope so that you could say you don't want things, but have the default be the common case.
This still requires defining multiple scopes.

We could just make openid the scope for the id_token.  However that makes interoperability for the user-info endpoint worse than AX if that is possible.

I wouldn't want to get rid of nonce or state for security reasons.  We could make those required for the profile and ditch prompt and display.

Other opinions?

On 2011-08-16, at 7:03 PM, Anthony Nadalin wrote:

1.       3.1 Why is there any scope beyond "openid", is this spec going to be continually updated whenever a new scope is added/changed, seems like a bad idea to have additional scopes in the spec
2.       3.2.1 Why have optional parameters, this should be basic (code and go)
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110817/1b2d68e4/attachment.html>

More information about the Openid-specs-ab mailing list