[Openid-specs-ab] Handling OpenID request objects

Mike Jones Michael.Jones at microsoft.com
Thu Apr 19 13:20:16 UTC 2012

This was filed as issue 575.  We agreed to change Messages and Standard to state that it is optional to also include OAuth parameters in the OpenID request object, but that if they are in both places, they MUST match.  

Optional OAuth parameters MAY be present only in the OpenID Request object.  The one exception to this is that that the scope parameter is the one OAuth parameter that MUST be present in the OAuth request (so the "openid" scope is always present in the OAuth request).

If people disagree, we can discuss this during the April 30th meeting at Yahoo!.

				-- Mike

-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Vladimir Dzhuvinov / NimbusDS
Sent: Wednesday, April 11, 2012 2:00 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Handling OpenID request objects

Hi guys,

Two questions came up when implementing the IdP logic to handle OpenID request objects:

Q1: Is it correct that the request object must always include "response_type" and "scope"? If the request object is found to be not exactly according to the spec, should we continue or return error?

Q2: How should the server act when there is a mismatch between a parameter in the Authz request and the request object, e.g. "state"?



"All [...] parameters MUST also be JSON Serialized into the OpenID Request Object with the same values."




"If the same parameters are present both in the Authorization Request and in the OpenID Request Object, the latter takes precedence."


Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net

More information about the Openid-specs-ab mailing list