[Openid-specs-ab] Comments on the OpenID Connect Standard spec 1.0 draft 4

Edmund Jay ejay at mgi1.com
Tue Sep 20 19:34:01 UTC 2011

Yes, the intent was for the query parameters to be the same in the "request" 
I'll try to reword and clarify it in the next update.

From: George Fletcher <gffletch at aol.com>
To: Edmund Jay <ejay at mgi1.com>
Cc: Roland Hedberg <roland.hedberg at adm.umu.se>; 
"openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>
Sent: Tue, September 20, 2011 12:12:21 PM
Subject: Re: [Openid-specs-ab] Comments on the OpenID Connect Standard spec 1.0 
draft 4

Ok, that makes sense. I       think we need to add some text to that affect. As 
for processing       rules, is the AS supposed to ignore any parameter that is 
in the       query/post parameter list if there is a matching parameter in       
request object? It seems strange to allow a request where the data       is 
different between the two sets of parameters. I'd prefer to       reject any 
request where the same named parameters don't match.


On 9/20/11 2:19 PM, Edmund Jay wrote: 
The query parameters need to be sent even when "request"           parameter is 
sent because the request needs to conform to           OAuth specs.
>The "request" parameter is an extension parameter used for           creating 
>more complex requests and as a way to sign/encrypt           the request.  
>Therefore the query parameters need to be           present in the "request" 
>object also and will take precedence.
From: Roland Hedberg <roland.hedberg at adm.umu.se>
>To: George               Fletcher <gffletch at aol.com>
>Cc: "openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>
>Sent: Mon,               September 19, 2011 11:49:53 PM
>Subject: Re: [Openid-specs-ab] Comments on the OpenID Connect               
>Standard spec 1.0 draft 4
>20 sep 2011 kl. 03:37 skrev George Fletcher:
>> * Section
>> The second paragraph says that parameters specified in             the "OpenID 
>>Request Object" take precedence over query             parameters. Yet the 
>>non-normative example, shows the same             parameter in both the query 
>>string and the OpenID Request             Object. Given that the Request Object 
>>takes precedence,             isn't just the request object enough? So the last 
>>example in             section could be...
>I went through the same reasoning but I came out the other             end with 
>the idea that the parameters that matter, those you             want to sign, 
>they should be in the request JWT and those             that isn't vital (are 
>there any such) could be in the query             string.
>Anyway I also see no reason for parameters to be in both.
>> * Section
>> This probably isn't an issue, but ensuring the entire             URL does not 
>>exceed 512 bytes, requires both the AS and the             Client to work 
>>together. If the client has a really large             state value, and the AS 
>>has a large code value, the combined             length could be greater than 
>Agreed, a bad behaved client can make it impossible for a             server to 
>construct URLs shorter then 512 bytes.
>-- Roland
>Openid-specs-ab mailing list
>Openid-specs-ab at lists.openid.net

--  Chief Architect                   AIM:  gffletch Identity Services 
Engineering     Work: george.fletcher at teamaol.com AOL Inc.                          
Home: gffletch at aol.com Mobile: +1-703-462-3494           Blog: 
http://practicalid.blogspot.com Office: +1-703-265-2544           Twitter: 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110920/b0b3fca0/attachment-0001.html>

More information about the Openid-specs-ab mailing list