[Openid-specs-ab] Openid connect discovery review

Mike Jones Michael.Jones at microsoft.com
Tue Dec 17 06:26:38 UTC 2013


Thanks for the review, as always George.  This is my Disposition of Comments (DoC) reply to your review.  If I accepted your suggestion, I haven't included any reply to it here.  The changes resulting from this review have been released at http://openid.bitbucket.org/.



3-1 - The term "Relying Party" is defined in Core and incorporated by reference in Discovery.



7-1 - I believe that Account Chooser is passing the user identifier (which is typically a full e-mail address) and the issuing domain as separate parameters.



                                                            -- Mike



-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of George Fletcher
Sent: Saturday, October 26, 2013 7:51 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Openid connect discovery review





> See file attached to this message

>

> File: OpenID Connect Discovery - draft 18 - flattened.pdf

>

> Annotation summary:

>

> --- Page 3 ---

>

> Highlight (yellow), Oct 25, 2013, 9:28 AM, George Fletcher:

> Relying Party

>

> Note (yellow), Oct 25, 2013, 9:28 AM, George Fletcher:

> Relying Party is capitalized but not defined. This probably doesn't matter, but just wanted to check given the earlier comment about "capitalized" terms being normative.

>

> Highlight (yellow), Oct 25, 2013, 9:28 AM, George Fletcher:

> The Issuer MUST be returned in the response

>

> Note (yellow), Oct 25, 2013, 9:28 AM, George Fletcher:

> I'm assuming this means... The Issuer MUST be returned as a result of the OP discovery flow. Webfinger allows for discovery endpoint redirection and requiring the Issuer in the response seems to preclude that option.

>

>

> --- Page 7 ---

>

> Note (yellow), Oct 25, 2013, 9:28 AM, George Fletcher:

> What is account chooser doing in this case? Is it the IdPs responsibility to put the non-owned domaines loginID into Account Chooser?

>

>

> --- Page 8 ---

>

> Note (yellow), Oct 25, 2013, 9:28 AM, George Fletcher:

> I'm not quite sure how to really comply with this as at AOL all the RS's define their own scopes. Keeping the AS up to date with all in use scopes has some operational issues. Also, some scopes we may wish to not publish. I realize that this item is just RECOMMENDED but that is still very strong. Curious how other Authorizations Servers are dealing with this.

>

> Highlight (yellow), Oct 25, 2013, 9:28 AM, George Fletcher:

> scopes_supported

>

>

> (report generated by GoodReader)

>

>

>

>

>

>

> --

> George Fletcher

> Blog: http://practicalid.blogspot.com

> Photos: http://www.flickr.com/photos/gffphotos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131217/f703e8c2/attachment-0001.html>


More information about the Openid-specs-ab mailing list