[Openid-specs-ab] Spec call notes 27-Sep-12

Roland Hedberg roland.hedberg at adm.umu.se
Sat Sep 29 16:32:11 UTC 2012

27 sep 2012 kl. 11:31 skrev Roland Hedberg <roland.hedberg at adm.umu.se>:

> 27 sep 2012 kl. 17:15 skrev Mike Jones <Michael.Jones at microsoft.com>:
>>               Mike would like to see a mobile phone application being tested
>>                              Nat will try to find someone to work on this
>>                              Roland said that you have to catch and handle the redirect
>>                              Roland said that you have to manage cookies as well
>>                                             There may be different cookies between the OP and RP versus the OP and the browser
>>                                             Nat and George said that it would be better to not use cookies in this case and just use the ID Token
> Just to be clear this is not a choice the mobile phone app makes, it's a decision made by the OP implementor.

Oh, and by the way the problem with a client in a non-web application environment is not the handling of redirects and/or cookies.
It is the authentication of the user.
The same problem applies to SAML ECP where the present solution seems to be HTTP basic auth with the users uid/password or personal certificate.

-- Roland
Roland Hedberg
IT Architect/Senior Researcher
ICT Services and System Development (ITS) 
Umeå University 
SE-901 87 Umeå, Sweden	
Phone +46 90 786 68 44
Mobile +46 70 696 68 44 

More information about the Openid-specs-ab mailing list