[Openid-specs-ab] Additional issues/questions with Basic

Nat Sakimura sakimura at gmail.com
Thu May 17 20:03:28 UTC 2012

I think we should keep SHOULD here.
There are use cases that a MUST cannot be fulfilled.

=nat via iPhone

On 2012/05/18, at 4:57, Chuck Mortimore <cmortimore at salesforce.com> wrote:


It was basically pointing out that we were over ridding the OAuth language
and turning SHOULD to MUST.    As a platform, we're ok with it, as we're on
the MUST side of things.


On May 17, 2012, at 12:51 PM, John Bradley wrote:

We may have been a bit overzealous with the MUST.   It should be a MUST for
implicit and a SHOULD for code.

>From 10.6 of OAuth

 The authorization server
   MUST require public clients and SHOULD require confidential clients
   to register their redirection URIs.  If a redirection URI is provided
   in the request, the authorization server MUST validate it against the
   registered value.

I don't the think we are actually precluded from making the SHOULD a must
for Connect.


On 2012-05-17, at 2:49 PM, Mike Jones wrote:

Hi Chuck,

I was going through some of my mail working on closing the remaining issues
to finish the OAuth Bearer RFC and I ran across this message, which I
realized that I never responded to.

Could you expand on “This violates OAuth”?  Is there a change you’d
recommend in the Connect specs as a result?

(The second point is now moot, as we decided to remove the Check ID
Endpoint at the last in-person working group meeting.)

                                                                -- Mike

*From:* Chuck Mortimore [mailto:cmortimore at salesforce.com]
*Sent:* Friday, March 02, 2012 11:13 AM
*To:* Mike Jones
*Subject:* Additional issues/questions with Basic

2.2.1  redirect_uri:  A redirection URI where the response will be sent.
This MUST be pre-registered with the provider.

This Violates OAuth

2.3.1 CheckID: access_token:  REQUIRED. The ID Token obtained from an
OpenID Connect Authorization Request.

Why is this the ID Token, but called access_token?

Why would we use POST if it's in an AuthZ header?

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120518/afab8129/attachment.html>

More information about the Openid-specs-ab mailing list