[Openid-specs-ab] UserInfo Request

sakimura sakimura at gmail.com
Thu Sep 29 08:29:09 UTC 2011


 That's our intention from the beginning so the text apparently is not 
 working.

 Perhaps could you suggest a text?

 I will make a ticket at issue tracker.

 =nat

 On Thu, 29 Sep 2011 03:00:37 +0000, Mike Jones wrote:
> I agree with Tony here. He and I both read the Basic and Standard
> specs to see if the parameter could be passed in the body, and to 
> both
> of us, it appeared that OpenID Connect (as a profile of OAuth 2.0) 
> was
> intentionally ruling this out.
>
> Nat, could you maybe add an issue in the issue tracker to clean up
> this language, at least in the Standard spec, to make it clear that
> all the OAuth 2.0 parameter passing methods can be used? (Breno 
> should
> like this too. J)
>
>  Thanks,
>
>  -- Mike
>
> FROM: openid-specs-ab-bounces at lists.openid.net
> [mailto:openid-specs-ab-bounces at lists.openid.net] ON BEHALF OF 
> Anthony
> Nadalin
>  SENT: Wednesday, September 28, 2011 7:52 PM
>  TO: Nat Sakimura
>  CC: openid-specs-ab at lists.openid.net
>  SUBJECT: Re: [Openid-specs-ab] UserInfo Request
>
> I think it's confusing the way it reads as it does not give me an
> option to use the OAUTH Core, so how would I know????
>
> FROM: Nat Sakimura [mailto:sakimura at gmail.com]
>  SENT: Wednesday, September 28, 2011 5:21 PM
>  TO: Anthony Nadalin
>  CC: openid-specs-ab at lists.openid.net
>  SUBJECT: Re: [Openid-specs-ab] UserInfo Request
>
> I think it does. OAuth allows access_token to be used in HTTP header,
> GET param, and POST param (body), and the text goes "Access tokens
> sent in the authorization header must be BEARER TOKENS
> [1][OAuth.2.0.Bearer]. If the client is using the HTTP GET method, it
> SHOULD send the access token in the authorization header." so it is
> saying:
>
> 1. If the access_token is sent in the HTTP header, it has to use the
> Bearer tokens scheme.
>
> 2. If the request is GET, it has to use HTTP header to send the
> access_token.
>
> (3. Implicitly, because OAuth allows - do as the OAuth says for the
> POST, i.e., Body.)
>
> Are you suggesting that we should add 3. so that people does not have
> to read OAuth.2.0.Bearer?
>
> =nat
>
> On Thu, Sep 29, 2011 at 7:27 AM, Anthony Nadalin  wrote:
>
> In  http://openid.net/specs/openid-connect-standard-1_0.html#anchor19
> [3] it does not call out the use of the body as an option for the
> access token, since access tokens can get large there may be issues
> using only the header, the bearer token specification allows usage of
> the body, so should the openid standard specification.
>
>  _______________________________________________
>  Openid-specs-ab mailing list
>  Openid-specs-ab at lists.openid.net [4]
>  http://lists.openid.net/mailman/listinfo/openid-specs-ab [5]
>
> --
>  Nat Sakimura (=nat)
>
> Chairman, OpenID Foundation
>  http://nat.sakimura.org/ [6]
>  @_nat_en
>
>
>
> Links:
> ------
> [1] 
> http://openid.net/specs/openid-connect-standard-1_0.html#OAuth.2.0.Bearer
> [2] mailto:tonynad at microsoft.com
> [3] http://openid.net/specs/openid-connect-standard-1_0.html#anchor19
> [4] mailto:Openid-specs-ab at lists.openid.net
> [5] http://lists.openid.net/mailman/listinfo/openid-specs-ab
> [6] http://nat.sakimura.org/



More information about the Openid-specs-ab mailing list