[Openid-specs-ab] Possible MTI fallback position for OpenID Request Object

Tim Bray tbray at textuality.com
Fri Feb 1 16:09:16 UTC 2013


On Thu, Jan 31, 2013 at 4:54 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:

> As discussed on today’s call, it does several related things:

Actually, part of the gripe is that the things it does are not
strongly/clearly related.

> The primary thing that some people on the call seemed to feel should not be
> Mandatory to Implement (MTI) functionality is having to respond to requests
> for specific individual claims.

Just to be clear: my engineering group wasn’t objecting to any one
component in particular, just not wanting to take on the scaling and
UX consequences of the whole package of fish-and-bicycles as specified
in the current messages draft, when we we think we can build a
perfectly satisfactory and usable Internet-scale identity system
without Request Objects.

> In summary the, middle ground that I’d like people to discuss is:
>   - Parsing OpenID Request Object MTI
>   - Using request parameters contained in Request Object MTI
>   - Supporting “preferred_locales” and “max_age” parameters MTI
>   - Supporting “claims” fields OPTIONAL
>   - If “claims” fields not supported, the claims returned would be determined by the OP
>   - It would be discoverable whether “claims” is supported by an OP
>   - Supporting “request_file” OPTIONAL
>   - It would be discoverable whether “request_file” is supported
>   - If “request_file” is not supported, the claims returned would be determined by the OP

I’m not sure I understand your 2nd bullet point, “request parameters”.
Maybe a pointer into section 2.1.1.1 would help?

But here’s what I think you meant.  A conforming implementation would
be required to:

- parse the request object
- understand and comply with:
-- request_object['userinfo']['preferred_locales']
-- request_object['id_token']['sub']
-- request_object['id_token']['auth_time']
-- request_object['id_token']['max_age']
-- request_object['id_token']['acr']
- everything else can be ignored

I’ll be honest; this seems like a bit of an uphill struggle.  But
before I take this to the guys, is my understanding of what you’re
proposing correct?

 -Tim


More information about the Openid-specs-ab mailing list