[Openid-specs-ab] Spec call notes 5-Nov-12
Richer, Justin P.
jricher at mitre.org
Tue Nov 6 14:50:05 UTC 2012
That approach makes sense - I created a new issue for alignment with the OAuth2 spec, and that can be the issue that tracks this change. I agree completely with the "break it only once" mindset, with the idea that if you're going to break it anyway, make sure you break it *right* so that you don't have to break it *again*.
On Nov 6, 2012, at 9:04 AM, John Bradley wrote:
We discussed that last night.
There is interop testing happening based on the current OIDC draft, so we are adverse to breaking changes unless required.
It may be better to decide on things for the OAuth spec and do that the "correct" way then do a single change to the OIDC spec to align it.
Hopefully reducing the impact on developers.
#674 is a error in the description that needs to be fixed, so I will do that one.
#673 Is a feature that we don't think is currently in most implementations, so if we want to change it for OAUTH it would be good to catch that change now in the OIDC version.
We want to get feedback from developers on if they want to change now or do it as part of a later reconciliation with the OAuth draft.
#672 is in active testing so we felt that was better left to a reconciliation stage. We don't want to limit the decisions for the OAUTH version, but also don't want to stop testing.
Nat is going to read your draft before we decide on going forward with any restructuring.
On 2012-11-06, at 8:30 AM, "Richer, Justin P." <jricher at mitre.org<mailto:jricher at mitre.org>> wrote:
#667 Registration - Restructuring
We agreed to restructure - assigned to Nat
#672 Registration 2.1: Rename token_endpoint_auth_type to token_endpoint_auth_method
We won't make a change because there isn't a compelling reason for a breaking change at this point
#673 Registration 2.1: Rename require_signed_request_object to request_object_alg
We will send a note to the WG asking if people would object to changing the name to require_signed_request_object_alg
#674 Registration 2.1: Typo in require_auth_time
The "(default max authentication age)" text is a cut-and-paste error
I would hold off on all of these issues due to the new OAuth2 registration draft, which supersedes (by design) the core functionality of the OIDC registration draft. This will change the structure and content of the OIDC registration draft significantly. Ideally, in my mind at least, the OIDC draft should be an extension/profile/whatever of the OAuth2 registration draft, and I've tried to structure the OAuth2 one such that the OIDC one can easily do just that by extending the data structure in section 3, Client Metadata. If you want, assign the above issues all to me so that I can make sure they get incorporated into the right document.
Both John and Mike have volunteered to be co-authors on the OAuth2 document, so we can have a pretty strong assurance of compatibility. However, I do anticipate a handful of breaking changes, generally in the form of changed parameter names and values (I anticipate the overall structure remaining the same). I'm of the mindset that if we're going to be changing one, we should change and clean up the rest at the same time. I'll be keeping the latest rendition of the OAuth2 draft in GitHub:
So the best way for *anyone* to get changes incorporated is to file a pull request there.
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab