[Openid-specs-ab] Issue #893: New Core: 2-Authentication Table bugs (openid/connect)

Nat Sakimura issues-reply at bitbucket.org
Thu Oct 31 07:15:06 UTC 2013

New issue 893: New Core: 2-Authentication Table bugs

Nat Sakimura:

Thanks for incorporating the table idea. 

IMHO, the Property column needs rework. 

I think it should state the purpose / target / goal from the point of view of the implementers: i.e.,  to be a guidance. Current column is just describing some protocol properties, which seems to have been picked somewhat arbitrarily. Purpose based column such as http://nat.sakimura.org/2013/10/30/guidance-on-which-grant-flow-to-use-for-openid-connect/ seems to give a better guidance. 

Even if the table was to express only the properties and not the guidance, the value of the rows are a bit buggy. 

For example, 

"Client is authenticated" should be "Client can be authenticated". Authorization Code Flow does not necessarily mean that the client is confidential. 

In the "JavaScript-only Client possible" row, "Code" has "no" as the value, but it is not the case. Obviously, it may not be a good choice but you still can build it in Javascript (whether on the serverside or in the browser). The same applies for "Hybrid" as well. 

More information about the Openid-specs-ab mailing list