[Openid-specs-ab] UserInfo Request

Mike Jones Michael.Jones at microsoft.com
Thu Sep 29 03:00:37 UTC 2011

I agree with Tony here.  He and I both read the Basic and Standard specs to see if the parameter could be passed in the body, and to both of us, it appeared that OpenID Connect (as a profile of OAuth 2.0) was intentionally ruling this out.

Nat, could you maybe add an issue in the issue tracker to clean up this language, at least in the Standard spec, to make it clear that all the OAuth 2.0 parameter passing methods can be used?  (Breno should like this too. :))

                                                            -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Anthony Nadalin
Sent: Wednesday, September 28, 2011 7:52 PM
To: Nat Sakimura
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] UserInfo Request

I think it's confusing the way it reads as it does not give me an option to use the OAUTH Core, so how would I know????

From: Nat Sakimura [mailto:sakimura at gmail.com]
Sent: Wednesday, September 28, 2011 5:21 PM
To: Anthony Nadalin
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] UserInfo Request

I think it does. OAuth allows access_token to be used in HTTP header, GET param, and POST param (body), and the text goes "Access tokens sent in the authorization header must be Bearer tokens<http://openid.net/specs/openid-connect-standard-1_0.html#OAuth.2.0.Bearer>[OAuth.2.0.Bearer]. If the client is using the HTTP GET method, it SHOULD send the access token in the authorization header." so it is saying:

1. If the access_token is sent in the HTTP header, it has to use the Bearer tokens scheme.
2. If the request is GET, it has to use HTTP header to send the access_token.
(3. Implicitly, because OAuth allows - do as the OAuth says for the POST, i.e., Body.)

Are you suggesting that we should add 3. so that people does not have to read OAuth.2.0.Bearer?


On Thu, Sep 29, 2011 at 7:27 AM, Anthony Nadalin <tonynad at microsoft.com<mailto:tonynad at microsoft.com>> wrote:
In http://openid.net/specs/openid-connect-standard-1_0.html#anchor19 it does not call out the use of the body as an option for the access token, since access tokens can get large there may be issues using only the header, the bearer token specification allows usage of the body, so should the openid standard specification.

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

Nat Sakimura (=nat)
Chairman, OpenID Foundation

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110929/b05b9f11/attachment-0001.html>

More information about the Openid-specs-ab mailing list