[Openid-specs-ab] Description of js_origin_uri (JavaScript Origin URI) in Client Registration Spec

Mike Jones Michael.Jones at microsoft.com
Wed Nov 23 20:37:27 UTC 2011

I think that declaring reserved words at this point is overkill.  We're only at (pre) Implementer's Draft stage, after all.

For now, let's just delete the js_origin_uri element and say in Registration that "other elements MAY be included in the registration".

I do agree that we should avoid requiring redirect_uri for flows that don't use them.  For now, its inclusion should probably be RECOMMENDED or SHOULD, to be able to accommodate such flows in the future.

                                                            -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Breno de Medeiros
Sent: Wednesday, November 23, 2011 12:27 PM
To: John Bradley
Cc: openid-specs-ab at lists.openid.net; Edmund Jay
Subject: Re: [Openid-specs-ab] Description of js_origin_uri (Javascrip Origin URI) in Client Registration Spec

Well, there's nothing wrong with declaring reserved words without specifying what they are for. That maybe a good compromise.
On Wed, Nov 23, 2011 at 12:21, John Bradley <ve7jtb at ve7jtb.com<mailto:ve7jtb at ve7jtb.com>> wrote:
We don't currently have a registration process for new registration elements.  Nothing stops someone from sending them, but nothing to stop collisions.

It may be clearer to have reserved names for:

postmessage_origin   The JS Origin to be used in a postMessage response
postmessage_proxy   The Window ID to be used in a postMessage response. Default value is 'oauth2-relay-frame' if not specified.

What I was trying to avoid was requiring redirect_uri for flows that don't use them.

I like the post message response flow, it just needs more work to make it an extension.

It might be better as an OAuth extension, as long as it can encode multiple tokens.

If you want to do it all later that's fine.

John B.

On 2011-11-23, at 4:44 PM, Breno de Medeiros wrote:

In our implementation we currently name this parameter 'origin' which I think has the benefit of being shorter than 'js_origin_uri'.

A JS Origin is a well-defined HTML5 concept. (And earlier HTML specs also, it has not changed.)

I am not sure we need to put it in the spec provided that we write the spec so that other bindings than HTTP redirect transport (e.g., postmessage-based transport) are allowed to be composed.

At some point I would like this group to work on postmessage binding for connect.
On Wed, Nov 23, 2011 at 11:39, John Bradley <ve7jtb at ve7jtb.com<mailto:ve7jtb at ve7jtb.com>> wrote:
It is used only for postMessage.

Clients wishing to use postMessage MUST register a value.

Looking at Google's registration and the spec a single origin looks sufficient.

A client MUST register a JS Origin if it is requesting a postMessage response.
A client MUST register a redirect_uri if it is requesting a fragment encoded response.

A client MAY register a redirect_uri if it is requesting a query parameter encoded response.

For those that haven't read the google spec you send redirect_uri="postmessage" in the request.
The registered js_origin_uri is used to send the response.

It would be nice if we had a oauth2-postmessage-profile<https://groups.google.com/group/oauth2-postmessage-profile> that didn't require reading the JS source!

Breno should correct me if I have it wrong.

John B.

On 2011-11-23, at 4:11 PM, Edmund Jay wrote:

In the Registration spec, we have a js_origin_uri field which requires more explanation.
Currently, it's defined as :
    OPTIONAL. Space-separated list of JavaScript Origin URIs (used for Post Message flow).

This description is not very informative as is, so the working group decided to do some research.

In the case of OpenID Connect, JavaScript clients may be used to implement parts of the specs.
JavaScript has a same origin policy that only permits pages to interact with each other if they originate from the same origin.
Origin is defined by the scheme, host, and port of a URL. Pages have the same origin if and only if the scheme, host, and port matches exactly.

Some general background about same origin policy can be found at http://www.w3.org/Security/wiki/Same_Origin_Policy

HTML5 defines the exact mechanism for determining the effective origin of a piece of Javascript by using it's "owner".

Given this restriction, there are techniques used by providers to allow cross domain communication. Otherwise, only scripts in the same origin as the providers would be able to work.

This page describes window.postMessage

Project homepage:


Authorized JavaScript Origins
    For example: https://example.com<https://example.com/>

So for the Registration spec, it would just be a list of allowable URIs where client Javascript resides that would interact with the Authorization servers.

Would it be correct to define the js_origin_uri as follows :

    OPTIONAL. A Space-separated list of allowable URIs where client Javascript used for interacting with Authorization Servers reside or embedded.

Another question is, should we eliminate the js_origin_uri, since it's not mentioned anywhere else?
Or do we need to elaborate more on how it's used in the other specs?
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20111123/4337b24e/attachment-0001.html>

More information about the Openid-specs-ab mailing list