[Openid-specs-ab] Spec call notes 13-Feb-12

Justin Richer jricher at mitre.org
Tue Feb 14 14:14:31 UTC 2012

>     #510 and #536 - Messages, Basic - Proposal for adding hash to id_token
>         Issue 510 is the issue asking for a proposal for adding a hash 
> of the code and/or access token along with the ID Token.
>         Issue 536 is the actual proposal from John. His proposal is to 
> modify the 'code id_token' and 'code token id_token' response_types
>         to include the code as a claim inside the id_token. Since 
> id_token is signed, the code is automatically checked by the id_token 
> signature.
>         It is also more in line with Facebook's signed request method. 
> The ID Token is also modified to include an optional access
>         token fingerprint.  For full proposal, please see 
> http://hg.openid.net/connect/issue/536/messages-multi-token-response-add-hash-of 
> .
>         John will send proposal to the mailing list for feedback.

I'm not a fan of mixing the two tokens, or making the ID token bigger 
than it needs to be. Also, it's a redundancy of information between 
what's in the token and what's in the real parameters. Again, I think 
this is just asking for a signed HTTP request (with all parameters 
signed) more than anything. That would protect the parameters from 
modification in transit

>     #513 Basic 1.2, Messages 8.14, Discovery 3.1, 3.2 - Issuer 
> Identifier can not contain a path component
>         John made proposal to add a path component to the issuer 
> returned from Simple Web Discovery and append 
> ".well-known/openid-configuration"
>         to the returned issuer string to retrieve the specific 
> configuration information.
>         John has sent this proposal to the list but has not received 
> much feedback.
>         This issue will be discussed at a face to face meeting in the 
> upcoming RSA conference.

I agree with this proposal, as it is problematic to require 
site-root-level access beyond the first static discovery step. This 
would partially address another issues that I'd reported, about the 
openid-configuration being redirectable using SWD semantics, since the 
SWD service wouldn't have to point at the root of a server anymore.

  -- Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120214/df7814d5/attachment.html>

More information about the Openid-specs-ab mailing list