[Openid-specs-ab] UserInfo Request

Nat Sakimura sakimura at gmail.com
Thu Sep 29 18:14:36 UTC 2011


Ticket created as

https://bitbucket.org/openid/connect/issue/135/standard-61-userinfo-text-clarification-on

=nat

On Fri, Sep 30, 2011 at 12:50 AM, Mike Jones <Michael.Jones at microsoft.com>wrote:

>  Standard currently says in the access_token description in 6.1<http://openid.net/specs/openid-connect-standard-1_0.html#anchor19>:
> “If the client is using the HTTP GET method, it SHOULD send the access token
> in the authorization header.”  I would add to this:  “The access_token MAY
> alternatively be sent in the message body, as described in the
> OAuth.2.0.Bearer specification.”****
>
> ** **
>
>
> -- Mike****
>
> ** **
>
> -----Original Message-----
> From: sakimura [mailto:sakimura at gmail.com]
> Sent: Thursday, September 29, 2011 1:29 AM
> To: Mike Jones
> Cc: Anthony Nadalin; openid-specs-ab at lists.openid.net
> Subject: RE: [Openid-specs-ab] UserInfo Request
>
> ** **
>
> That's our intention from the beginning so the text apparently is not
> working.****
>
> ** **
>
> Perhaps could you suggest a text?****
>
> ** **
>
> I will make a ticket at issue tracker.****
>
> ** **
>
> =nat****
>
> ** **
>
> On Thu, 29 Sep 2011 03:00:37 +0000, Mike Jones wrote:****
>
> > I agree with Tony here. He and I both read the Basic and Standard ****
>
> > specs to see if the parameter could be passed in the body, and to both *
> ***
>
> > of us, it appeared that OpenID Connect (as a profile of OAuth 2.0) was *
> ***
>
> > intentionally ruling this out.****
>
> >** **
>
> > Nat, could you maybe add an issue in the issue tracker to clean up ****
>
> > this language, at least in the Standard spec, to make it clear that ****
>
> > all the OAuth 2.0 parameter passing methods can be used? (Breno should *
> ***
>
> > like this too. J)****
>
> >** **
>
> >  Thanks,****
>
> >** **
>
> >  -- Mike****
>
> >** **
>
> > FROM: openid-specs-ab-bounces at lists.openid.net****
>
> > [mailto:openid-specs-ab-bounces at lists.openid.net] ON BEHALF OF Anthony *
> ***
>
> > Nadalin****
>
> >  SENT: Wednesday, September 28, 2011 7:52 PM****
>
> >  TO: Nat Sakimura****
>
> >  CC: openid-specs-ab at lists.openid.net****
>
> >  SUBJECT: Re: [Openid-specs-ab] UserInfo Request****
>
> >** **
>
> > I think it's confusing the way it reads as it does not give me an ****
>
> > option to use the OAUTH Core, so how would I know????****
>
> >** **
>
> > FROM: Nat Sakimura [mailto:sakimura at gmail.com]****
>
> >  SENT: Wednesday, September 28, 2011 5:21 PM****
>
> >  TO: Anthony Nadalin****
>
> >  CC: openid-specs-ab at lists.openid.net****
>
> >  SUBJECT: Re: [Openid-specs-ab] UserInfo Request****
>
> >** **
>
> > I think it does. OAuth allows access_token to be used in HTTP header, **
> **
>
> > GET param, and POST param (body), and the text goes "Access tokens ****
>
> > sent in the authorization header must be BEARER TOKENS ** **
>
> > [1][OAuth.2.0.Bearer]. If the client is using the HTTP GET method, it **
> **
>
> > SHOULD send the access token in the authorization header." so it is****
>
> > saying:****
>
> >** **
>
> > 1. If the access_token is sent in the HTTP header, it has to use the ***
> *
>
> > Bearer tokens scheme.****
>
> >** **
>
> > 2. If the request is GET, it has to use HTTP header to send the ****
>
> > access_token.****
>
> >** **
>
> > (3. Implicitly, because OAuth allows - do as the OAuth says for the ****
>
> > POST, i.e., Body.)****
>
> >** **
>
> > Are you suggesting that we should add 3. so that people does not have **
> **
>
> > to read OAuth.2.0.Bearer?****
>
> >** **
>
> > =nat****
>
> >** **
>
> > On Thu, Sep 29, 2011 at 7:27 AM, Anthony Nadalin  wrote:****
>
> >** **
>
> > In  http://openid.net/specs/openid-connect-standard-1_0.html#anchor19***
> *
>
> > [3] it does not call out the use of the body as an option for the ****
>
> > access token, since access tokens can get large there may be issues ****
>
> > using only the header, the bearer token specification allows usage of **
> **
>
> > the body, so should the openid standard specification.****
>
> >** **
>
> >  _______________________________________________****
>
> >  Openid-specs-ab mailing list****
>
> >  Openid-specs-ab at lists.openid.net [4]****
>
> >  http://lists.openid.net/mailman/listinfo/openid-specs-ab [5]****
>
> >** **
>
> > --****
>
> >  Nat Sakimura (=nat)****
>
> >** **
>
> > Chairman, OpenID Foundation****
>
> >  http://nat.sakimura.org/ [6]****
>
> >  @_nat_en****
>
> >** **
>
> >** **
>
> >** **
>
> > Links:****
>
> > ------****
>
> > [1]****
>
> > http://openid.net/specs/openid-connect-standard-1_0.html#OAuth.2.0.Bea**
> **
>
> > rer****
>
> > [2] mailto:tonynad at microsoft.com <tonynad at microsoft.com>****
>
> > [3] http://openid.net/specs/openid-connect-standard-1_0.html#anchor19***
> *
>
> > [4] mailto:Openid-specs-ab at lists.openid.net<Openid-specs-ab at lists.openid.net>
> ****
>
> > [5] http://lists.openid.net/mailman/listinfo/openid-specs-ab****
>
> > [6] http://nat.sakimura.org/****
>
> ** **
>
> ** **
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110930/b3c7ef14/attachment.html>


More information about the Openid-specs-ab mailing list