[Openid-specs-ab] UserInfo Request

John Bradley ve7jtb at ve7jtb.com
Thu Sep 29 16:33:35 UTC 2011


That is fine with me.
On 2011-09-29, at 12:50 PM, Mike Jones wrote:

> Standard currently says in the access_token description in 6.1:  “If the client is using the HTTP GET method, it SHOULD send the access token in the authorization header.”  I would add to this:  “The access_token MAY alternatively be sent in the message body, as described in the OAuth.2.0.Bearer specification.”
>  
>                                                                            -- Mike
>  
> -----Original Message-----
> From: sakimura [mailto:sakimura at gmail.com] 
> Sent: Thursday, September 29, 2011 1:29 AM
> To: Mike Jones
> Cc: Anthony Nadalin; openid-specs-ab at lists.openid.net
> Subject: RE: [Openid-specs-ab] UserInfo Request
>  
> That's our intention from the beginning so the text apparently is not  working.
>  
> Perhaps could you suggest a text?
>  
> I will make a ticket at issue tracker.
>  
> =nat
>  
> On Thu, 29 Sep 2011 03:00:37 +0000, Mike Jones wrote:
> > I agree with Tony here. He and I both read the Basic and Standard
> > specs to see if the parameter could be passed in the body, and to both
> > of us, it appeared that OpenID Connect (as a profile of OAuth 2.0) was
> > intentionally ruling this out.
> > 
> > Nat, could you maybe add an issue in the issue tracker to clean up
> > this language, at least in the Standard spec, to make it clear that
> > all the OAuth 2.0 parameter passing methods can be used? (Breno should
> > like this too. J)
> > 
> >  Thanks,
> > 
> >  -- Mike
> > 
> > FROM: openid-specs-ab-bounces at lists.openid.net
> > [mailto:openid-specs-ab-bounces at lists.openid.net] ON BEHALF OF Anthony
> > Nadalin
> >  SENT: Wednesday, September 28, 2011 7:52 PM
> >  TO: Nat Sakimura
> >  CC: openid-specs-ab at lists.openid.net
> >  SUBJECT: Re: [Openid-specs-ab] UserInfo Request
> > 
> > I think it's confusing the way it reads as it does not give me an
> > option to use the OAUTH Core, so how would I know????
> > 
> > FROM: Nat Sakimura [mailto:sakimura at gmail.com]
> >  SENT: Wednesday, September 28, 2011 5:21 PM
> >  TO: Anthony Nadalin
> >  CC: openid-specs-ab at lists.openid.net
> >  SUBJECT: Re: [Openid-specs-ab] UserInfo Request
> > 
> > I think it does. OAuth allows access_token to be used in HTTP header,
> > GET param, and POST param (body), and the text goes "Access tokens
> > sent in the authorization header must be BEARER TOKENS
> > [1][OAuth.2.0.Bearer]. If the client is using the HTTP GET method, it
> > SHOULD send the access token in the authorization header." so it is
> > saying:
> > 
> > 1. If the access_token is sent in the HTTP header, it has to use the
> > Bearer tokens scheme.
> > 
> > 2. If the request is GET, it has to use HTTP header to send the
> > access_token.
> > 
> > (3. Implicitly, because OAuth allows - do as the OAuth says for the
> > POST, i.e., Body.)
> > 
> > Are you suggesting that we should add 3. so that people does not have
> > to read OAuth.2.0.Bearer?
> > 
> > =nat
> > 
> > On Thu, Sep 29, 2011 at 7:27 AM, Anthony Nadalin  wrote:
> > 
> > In  http://openid.net/specs/openid-connect-standard-1_0.html#anchor19
> > [3] it does not call out the use of the body as an option for the
> > access token, since access tokens can get large there may be issues
> > using only the header, the bearer token specification allows usage of
> > the body, so should the openid standard specification.
> > 
> >  _______________________________________________
> >  Openid-specs-ab mailing list
> >  Openid-specs-ab at lists.openid.net [4]
> >  http://lists.openid.net/mailman/listinfo/openid-specs-ab [5]
> > 
> > --
> >  Nat Sakimura (=nat)
> > 
> > Chairman, OpenID Foundation
> >  http://nat.sakimura.org/ [6]
> >  @_nat_en
> > 
> > 
> > 
> > Links:
> > ------
> > [1]
> > http://openid.net/specs/openid-connect-standard-1_0.html#OAuth.2.0.Bea
> > rer
> > [2] mailto:tonynad at microsoft.com
> > [3] http://openid.net/specs/openid-connect-standard-1_0.html#anchor19
> > [4] mailto:Openid-specs-ab at lists.openid.net
> > [5] http://lists.openid.net/mailman/listinfo/openid-specs-ab
> > [6] http://nat.sakimura.org/
>  
>  
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110929/1e974d21/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110929/1e974d21/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list