[Openid-specs-ab] UserInfo Request

Nat Sakimura sakimura at gmail.com
Thu Sep 29 14:00:07 UTC 2011


As far as I understand, it was both for the simplivity and interoperability.
Besides, MAC does not add much in termd og security.
2011/09/29 22:40 "Richer, Justin P." <jricher at mitre.org>:
> Sorry if this has been covered before, but am I missing why MAC or some
other OAuth2-bound token can't be used in OpenID Connect? Is it for the sake
of simplicity ("just pick one") or interoperability ("... and stick with
it"), or is something else strongly binding to the Bearer spec?
>
> -- Justin
> ________________________________________
> From: openid-specs-ab-bounces at lists.openid.net [
openid-specs-ab-bounces at lists.openid.net] On Behalf Of Anthony Nadalin [
tonynad at microsoft.com]
> Sent: Wednesday, September 28, 2011 10:51 PM
> To: Nat Sakimura
> Cc: openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] UserInfo Request
>
> I think it’s confusing the way it reads as it does not give me an option
to use the OAUTH Core, so how would I know????
>
> From: Nat Sakimura [mailto:sakimura at gmail.com]
> Sent: Wednesday, September 28, 2011 5:21 PM
> To: Anthony Nadalin
> Cc: openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] UserInfo Request
>
> I think it does. OAuth allows access_token to be used in HTTP header, GET
param, and POST param (body), and the text goes "Access tokens sent in the
authorization header must be Bearer tokens<
http://openid.net/specs/openid-connect-standard-1_0.html#OAuth.2.0.Bearer>[OAuth.2.0.Bearer].
If the client is using the HTTP GET method, it SHOULD send the access token
in the authorization header." so it is saying:
>
> 1. If the access_token is sent in the HTTP header, it has to use the
Bearer tokens scheme.
> 2. If the request is GET, it has to use HTTP header to send the
access_token.
> (3. Implicitly, because OAuth allows - do as the OAuth says for the POST,
i.e., Body.)
>
> Are you suggesting that we should add 3. so that people does not have to
read OAuth.2.0.Bearer?
>
> =nat
>
>
> On Thu, Sep 29, 2011 at 7:27 AM, Anthony Nadalin <tonynad at microsoft.com
<mailto:tonynad at microsoft.com>> wrote:
> In http://openid.net/specs/openid-connect-standard-1_0.html#anchor19 it
does not call out the use of the body as an option for the access token,
since access tokens can get large there may be issues using only the header,
the bearer token specification allows usage of the body, so should the
openid standard specification.
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110929/3266ca43/attachment.html>


More information about the Openid-specs-ab mailing list