<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">Ok, that makes sense. I
      think we need to add some text to that affect. As for processing
      rules, is the AS supposed to ignore any parameter that is in the
      query/post parameter list if there is a matching parameter in
      request object? It seems strange to allow a request where the data
      is different between the two sets of parameters. I'd prefer to
      reject any request where the same named parameters don't match.<br>
      <br>
      Thanks,<br>
      George<br>
    </font><br>
    On 9/20/11 2:19 PM, Edmund Jay wrote:
    <blockquote
      cite="mid:1316542762.55106.YahooMailRC@web82608.mail.mud.yahoo.com"
      type="cite">
      <style type="text/css"><!-- DIV {margin:0px;} --></style>
      <div style="font-family:tahoma,new
        york,times,serif;font-size:10pt">
        <div>The query parameters need to be sent even when "request"
          parameter is sent because the request needs to conform to
          OAuth specs.<br>
          The "request" parameter is an extension parameter used for
          creating more complex requests and as a way to sign/encrypt
          the request.  Therefore the query parameters need to be
          present in the "request" object also and will take precedence.<br>
        </div>
        <div style="font-family:tahoma, new york, times,
          serif;font-size:10pt"><br>
          <div style="font-family:arial, helvetica,
            sans-serif;font-size:10pt"><font face="Tahoma" size="2">
              <hr size="1"><b><span style="font-weight: bold;">From:</span></b>
              Roland Hedberg <a class="moz-txt-link-rfc2396E" href="mailto:roland.hedberg@adm.umu.se"><roland.hedberg@adm.umu.se></a><br>
              <b><span style="font-weight: bold;">To:</span></b> George
              Fletcher <a class="moz-txt-link-rfc2396E" href="mailto:gffletch@aol.com"><gffletch@aol.com></a><br>
              <b><span style="font-weight: bold;">Cc:</span></b>
              <a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net">"openid-specs-ab@lists.openid.net"</a>
              <a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net"><openid-specs-ab@lists.openid.net></a><br>
              <b><span style="font-weight: bold;">Sent:</span></b> Mon,
              September 19, 2011 11:49:53 PM<br>
              <b><span style="font-weight: bold;">Subject:</span></b>
              Re: [Openid-specs-ab] Comments on the OpenID Connect
              Standard spec 1.0 draft 4<br>
            </font><br>
            <br>
            20 sep 2011 kl. 03:37 skrev George Fletcher:<br>
            <br>
            > <br>
            > * Section 4.1.1.2<br>
            > <br>
            > The second paragraph says that parameters specified in
            the "OpenID Request Object" take precedence over query
            parameters. Yet the non-normative example, shows the same
            parameter in both the query string and the OpenID Request
            Object. Given that the Request Object takes precedence,
            isn't just the request object enough? So the last example in
            section 4.1.1.2 could be...<br>
            > <br>
            > <a moz-do-not-send="true"
href="https://server.example.com/authorize?request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtx"
              target="_blank">https://server.example.com/authorize?request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtx</a>
            dDMiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvY2xpZW50LmV4YW1wbGUuY29tXC9jYiIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUiLCJzd
            GF0ZSI6ImFmMGlmanNsZGtqIiwidXNlcmluZm8iOnsiY2xhaW1zIjp7Im5hbWUiOm51bGwsIm5pY2tuYW1lIjp7Im9wdGlvbmFsIjp0cnVlfS
            wiZW1haWwiOm51bGwsInZlcmlmaWVkIjpudWxsLCJwaWN0dXJlIjp7Im9wdGlvbmFsIjp0cnVlfX0sImZvcm1hdCI6InNpZ25lZCJ9LCJpZF9
0b2tlbiI6eyJtYXhfYWdlIjo4NjQwMCwiaXNvMjkxMTUiOiIyIn19.2OiqRgrbrHkA1FZ5p_7bc_RSdTbH-wo_Agk-ZRpD3wY<br>
            > <br>
            <br>
            I went through the same reasoning but I came out the other
            end with the idea that the parameters that matter, those you
            want to sign, they should be in the request JWT and those
            that isn't vital (are there any such) could be in the query
            string.<br>
            Anyway I also see no reason for parameters to be in both.<br>
            <br>
            > * Section 4.1.4.1<br>
            > <br>
            > This probably isn't an issue, but ensuring the entire
            URL does not exceed 512 bytes, requires both the AS and the
            Client to work together. If the client has a really large
            state value, and the AS has a large code value, the combined
            length could be greater than 512.<br>
            <br>
            Agreed, a bad behaved client can make it impossible for a
            server to construct URLs shorter then 512 bytes.<br>
            <br>
            -- Roland<br>
            <br>
            _______________________________________________<br>
            Openid-specs-ab mailing list<br>
            <a moz-do-not-send="true"
              ymailto="mailto:Openid-specs-ab@lists.openid.net"
              href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
            <a moz-do-not-send="true"
              href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
              target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Chief Architect                   AIM:  gffletch
Identity Services Engineering     Work: <a class="moz-txt-link-abbreviated" href="mailto:george.fletcher@teamaol.com">george.fletcher@teamaol.com</a>
AOL Inc.                          Home: <a class="moz-txt-link-abbreviated" href="mailto:gffletch@aol.com">gffletch@aol.com</a>
Mobile: +1-703-462-3494           Blog: <a class="moz-txt-link-freetext" href="http://practicalid.blogspot.com">http://practicalid.blogspot.com</a>
Office: +1-703-265-2544           Twitter: <a class="moz-txt-link-freetext" href="http://twitter.com/gffletch">http://twitter.com/gffletch</a>
</pre>
  </body>
</html>