[Openid-specs-ab] Additional issues/questions with Basic

John Bradley ve7jtb at ve7jtb.com
Thu May 17 19:51:50 UTC 2012

We may have been a bit overzealous with the MUST.   It should be a MUST for implicit and a SHOULD for code.

From 10.6 of OAuth

 The authorization server
   MUST require public clients and SHOULD require confidential clients
   to register their redirection URIs.  If a redirection URI is provided
   in the request, the authorization server MUST validate it against the
   registered value.

I don't the think we are actually precluded from making the SHOULD a must for Connect.


On 2012-05-17, at 2:49 PM, Mike Jones wrote:

> Hi Chuck,
> I was going through some of my mail working on closing the remaining issues to finish the OAuth Bearer RFC and I ran across this message, which I realized that I never responded to.
> Could you expand on “This violates OAuth”?  Is there a change you’d recommend in the Connect specs as a result?
> (The second point is now moot, as we decided to remove the Check ID Endpoint at the last in-person working group meeting.)
>                                                                 Thanks,
>                                                                 -- Mike
> From: Chuck Mortimore [mailto:cmortimore at salesforce.com] 
> Sent: Friday, March 02, 2012 11:13 AM
> To: Mike Jones
> Subject: Additional issues/questions with Basic
> 2.2.1  redirect_uri:  A redirection URI where the response will be sent. This MUST be pre-registered with the provider.
> This Violates OAuth
> 2.3.1 CheckID: access_token:  REQUIRED. The ID Token obtained from an OpenID Connect Authorization Request.
> Why is this the ID Token, but called access_token?
> Why would we use POST if it's in an AuthZ header?
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120517/965f6817/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120517/965f6817/attachment-0001.p7s>

More information about the Openid-specs-ab mailing list