[Openid-specs-ab] UserInfo Request

Mike Jones Michael.Jones at microsoft.com
Thu Sep 29 15:50:43 UTC 2011

Standard currently says in the access_token description in 6.1<http://openid.net/specs/openid-connect-standard-1_0.html#anchor19>:  “If the client is using the HTTP GET method, it SHOULD send the access token in the authorization header.”  I would add to this:  “The access_token MAY alternatively be sent in the message body, as described in the OAuth.2.0.Bearer specification.”

                                                                           -- Mike

-----Original Message-----
From: sakimura [mailto:sakimura at gmail.com]
Sent: Thursday, September 29, 2011 1:29 AM
To: Mike Jones
Cc: Anthony Nadalin; openid-specs-ab at lists.openid.net
Subject: RE: [Openid-specs-ab] UserInfo Request

That's our intention from the beginning so the text apparently is not  working.

Perhaps could you suggest a text?

I will make a ticket at issue tracker.


On Thu, 29 Sep 2011 03:00:37 +0000, Mike Jones wrote:

> I agree with Tony here. He and I both read the Basic and Standard

> specs to see if the parameter could be passed in the body, and to both

> of us, it appeared that OpenID Connect (as a profile of OAuth 2.0) was

> intentionally ruling this out.


> Nat, could you maybe add an issue in the issue tracker to clean up

> this language, at least in the Standard spec, to make it clear that

> all the OAuth 2.0 parameter passing methods can be used? (Breno should

> like this too. J)


>  Thanks,


>  -- Mike


> FROM: openid-specs-ab-bounces at lists.openid.net

> [mailto:openid-specs-ab-bounces at lists.openid.net] ON BEHALF OF Anthony

> Nadalin

>  SENT: Wednesday, September 28, 2011 7:52 PM

>  TO: Nat Sakimura

>  CC: openid-specs-ab at lists.openid.net

>  SUBJECT: Re: [Openid-specs-ab] UserInfo Request


> I think it's confusing the way it reads as it does not give me an

> option to use the OAUTH Core, so how would I know????


> FROM: Nat Sakimura [mailto:sakimura at gmail.com]

>  SENT: Wednesday, September 28, 2011 5:21 PM

>  TO: Anthony Nadalin

>  CC: openid-specs-ab at lists.openid.net

>  SUBJECT: Re: [Openid-specs-ab] UserInfo Request


> I think it does. OAuth allows access_token to be used in HTTP header,

> GET param, and POST param (body), and the text goes "Access tokens

> sent in the authorization header must be BEARER TOKENS

> [1][OAuth.2.0.Bearer]. If the client is using the HTTP GET method, it

> SHOULD send the access token in the authorization header." so it is

> saying:


> 1. If the access_token is sent in the HTTP header, it has to use the

> Bearer tokens scheme.


> 2. If the request is GET, it has to use HTTP header to send the

> access_token.


> (3. Implicitly, because OAuth allows - do as the OAuth says for the

> POST, i.e., Body.)


> Are you suggesting that we should add 3. so that people does not have

> to read OAuth.2.0.Bearer?


> =nat


> On Thu, Sep 29, 2011 at 7:27 AM, Anthony Nadalin  wrote:


> In  http://openid.net/specs/openid-connect-standard-1_0.html#anchor19

> [3] it does not call out the use of the body as an option for the

> access token, since access tokens can get large there may be issues

> using only the header, the bearer token specification allows usage of

> the body, so should the openid standard specification.


>  _______________________________________________

>  Openid-specs-ab mailing list

>  Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net> [4]

>  http://lists.openid.net/mailman/listinfo/openid-specs-ab [5]


> --

>  Nat Sakimura (=nat)


> Chairman, OpenID Foundation

>  http://nat.sakimura.org/ [6]

>  @_nat_en




> Links:

> ------

> [1]

> http://openid.net/specs/openid-connect-standard-1_0.html#OAuth.2.0.Bea

> rer

> [2] mailto:tonynad at microsoft.com

> [3] http://openid.net/specs/openid-connect-standard-1_0.html#anchor19

> [4] mailto:Openid-specs-ab at lists.openid.net

> [5] http://lists.openid.net/mailman/listinfo/openid-specs-ab

> [6] http://nat.sakimura.org/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110929/b12b0de8/attachment.html>

More information about the Openid-specs-ab mailing list