[Openid-specs-ab] UserInfo Request

Mike Jones Michael.Jones at microsoft.com
Thu Sep 29 15:50:43 UTC 2011


Standard currently says in the access_token description in 6.1<http://openid.net/specs/openid-connect-standard-1_0.html#anchor19>:  “If the client is using the HTTP GET method, it SHOULD send the access token in the authorization header.”  I would add to this:  “The access_token MAY alternatively be sent in the message body, as described in the OAuth.2.0.Bearer specification.”



                                                                           -- Mike



-----Original Message-----
From: sakimura [mailto:sakimura at gmail.com]
Sent: Thursday, September 29, 2011 1:29 AM
To: Mike Jones
Cc: Anthony Nadalin; openid-specs-ab at lists.openid.net
Subject: RE: [Openid-specs-ab] UserInfo Request



That's our intention from the beginning so the text apparently is not  working.



Perhaps could you suggest a text?



I will make a ticket at issue tracker.



=nat



On Thu, 29 Sep 2011 03:00:37 +0000, Mike Jones wrote:

> I agree with Tony here. He and I both read the Basic and Standard

> specs to see if the parameter could be passed in the body, and to both

> of us, it appeared that OpenID Connect (as a profile of OAuth 2.0) was

> intentionally ruling this out.

>

> Nat, could you maybe add an issue in the issue tracker to clean up

> this language, at least in the Standard spec, to make it clear that

> all the OAuth 2.0 parameter passing methods can be used? (Breno should

> like this too. J)

>

>  Thanks,

>

>  -- Mike

>

> FROM: openid-specs-ab-bounces at lists.openid.net

> [mailto:openid-specs-ab-bounces at lists.openid.net] ON BEHALF OF Anthony

> Nadalin

>  SENT: Wednesday, September 28, 2011 7:52 PM

>  TO: Nat Sakimura

>  CC: openid-specs-ab at lists.openid.net

>  SUBJECT: Re: [Openid-specs-ab] UserInfo Request

>

> I think it's confusing the way it reads as it does not give me an

> option to use the OAUTH Core, so how would I know????

>

> FROM: Nat Sakimura [mailto:sakimura at gmail.com]

>  SENT: Wednesday, September 28, 2011 5:21 PM

>  TO: Anthony Nadalin

>  CC: openid-specs-ab at lists.openid.net

>  SUBJECT: Re: [Openid-specs-ab] UserInfo Request

>

> I think it does. OAuth allows access_token to be used in HTTP header,

> GET param, and POST param (body), and the text goes "Access tokens

> sent in the authorization header must be BEARER TOKENS

> [1][OAuth.2.0.Bearer]. If the client is using the HTTP GET method, it

> SHOULD send the access token in the authorization header." so it is

> saying:

>

> 1. If the access_token is sent in the HTTP header, it has to use the

> Bearer tokens scheme.

>

> 2. If the request is GET, it has to use HTTP header to send the

> access_token.

>

> (3. Implicitly, because OAuth allows - do as the OAuth says for the

> POST, i.e., Body.)

>

> Are you suggesting that we should add 3. so that people does not have

> to read OAuth.2.0.Bearer?

>

> =nat

>

> On Thu, Sep 29, 2011 at 7:27 AM, Anthony Nadalin  wrote:

>

> In  http://openid.net/specs/openid-connect-standard-1_0.html#anchor19

> [3] it does not call out the use of the body as an option for the

> access token, since access tokens can get large there may be issues

> using only the header, the bearer token specification allows usage of

> the body, so should the openid standard specification.

>

>  _______________________________________________

>  Openid-specs-ab mailing list

>  Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net> [4]

>  http://lists.openid.net/mailman/listinfo/openid-specs-ab [5]

>

> --

>  Nat Sakimura (=nat)

>

> Chairman, OpenID Foundation

>  http://nat.sakimura.org/ [6]

>  @_nat_en

>

>

>

> Links:

> ------

> [1]

> http://openid.net/specs/openid-connect-standard-1_0.html#OAuth.2.0.Bea

> rer

> [2] mailto:tonynad at microsoft.com

> [3] http://openid.net/specs/openid-connect-standard-1_0.html#anchor19

> [4] mailto:Openid-specs-ab at lists.openid.net

> [5] http://lists.openid.net/mailman/listinfo/openid-specs-ab

> [6] http://nat.sakimura.org/




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110929/b12b0de8/attachment.html>


More information about the Openid-specs-ab mailing list