<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">Ok, that makes sense. I
think we need to add some text to that affect. As for processing
rules, is the AS supposed to ignore any parameter that is in the
query/post parameter list if there is a matching parameter in
request object? It seems strange to allow a request where the data
is different between the two sets of parameters. I'd prefer to
reject any request where the same named parameters don't match.<br>
<br>
Thanks,<br>
George<br>
</font><br>
On 9/20/11 2:19 PM, Edmund Jay wrote:
<blockquote
cite="mid:1316542762.55106.YahooMailRC@web82608.mail.mud.yahoo.com"
type="cite">
<style type="text/css"><!-- DIV {margin:0px;} --></style>
<div style="font-family:tahoma,new
york,times,serif;font-size:10pt">
<div>The query parameters need to be sent even when "request"
parameter is sent because the request needs to conform to
OAuth specs.<br>
The "request" parameter is an extension parameter used for
creating more complex requests and as a way to sign/encrypt
the request. Therefore the query parameters need to be
present in the "request" object also and will take precedence.<br>
</div>
<div style="font-family:tahoma, new york, times,
serif;font-size:10pt"><br>
<div style="font-family:arial, helvetica,
sans-serif;font-size:10pt"><font face="Tahoma" size="2">
<hr size="1"><b><span style="font-weight: bold;">From:</span></b>
Roland Hedberg <a class="moz-txt-link-rfc2396E" href="mailto:roland.hedberg@adm.umu.se"><roland.hedberg@adm.umu.se></a><br>
<b><span style="font-weight: bold;">To:</span></b> George
Fletcher <a class="moz-txt-link-rfc2396E" href="mailto:gffletch@aol.com"><gffletch@aol.com></a><br>
<b><span style="font-weight: bold;">Cc:</span></b>
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net">"openid-specs-ab@lists.openid.net"</a>
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net"><openid-specs-ab@lists.openid.net></a><br>
<b><span style="font-weight: bold;">Sent:</span></b> Mon,
September 19, 2011 11:49:53 PM<br>
<b><span style="font-weight: bold;">Subject:</span></b>
Re: [Openid-specs-ab] Comments on the OpenID Connect
Standard spec 1.0 draft 4<br>
</font><br>
<br>
20 sep 2011 kl. 03:37 skrev George Fletcher:<br>
<br>
> <br>
> * Section 4.1.1.2<br>
> <br>
> The second paragraph says that parameters specified in
the "OpenID Request Object" take precedence over query
parameters. Yet the non-normative example, shows the same
parameter in both the query string and the OpenID Request
Object. Given that the Request Object takes precedence,
isn't just the request object enough? So the last example in
section 4.1.1.2 could be...<br>
> <br>
> <a moz-do-not-send="true"
href="https://server.example.com/authorize?request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtx"
target="_blank">https://server.example.com/authorize?request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtx</a>
dDMiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvY2xpZW50LmV4YW1wbGUuY29tXC9jYiIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUiLCJzd
GF0ZSI6ImFmMGlmanNsZGtqIiwidXNlcmluZm8iOnsiY2xhaW1zIjp7Im5hbWUiOm51bGwsIm5pY2tuYW1lIjp7Im9wdGlvbmFsIjp0cnVlfS
wiZW1haWwiOm51bGwsInZlcmlmaWVkIjpudWxsLCJwaWN0dXJlIjp7Im9wdGlvbmFsIjp0cnVlfX0sImZvcm1hdCI6InNpZ25lZCJ9LCJpZF9
0b2tlbiI6eyJtYXhfYWdlIjo4NjQwMCwiaXNvMjkxMTUiOiIyIn19.2OiqRgrbrHkA1FZ5p_7bc_RSdTbH-wo_Agk-ZRpD3wY<br>
> <br>
<br>
I went through the same reasoning but I came out the other
end with the idea that the parameters that matter, those you
want to sign, they should be in the request JWT and those
that isn't vital (are there any such) could be in the query
string.<br>
Anyway I also see no reason for parameters to be in both.<br>
<br>
> * Section 4.1.4.1<br>
> <br>
> This probably isn't an issue, but ensuring the entire
URL does not exceed 512 bytes, requires both the AS and the
Client to work together. If the client has a really large
state value, and the AS has a large code value, the combined
length could be greater than 512.<br>
<br>
Agreed, a bad behaved client can make it impossible for a
server to construct URLs shorter then 512 bytes.<br>
<br>
-- Roland<br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
ymailto="mailto:Openid-specs-ab@lists.openid.net"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</div>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Chief Architect AIM: gffletch
Identity Services Engineering Work: <a class="moz-txt-link-abbreviated" href="mailto:george.fletcher@teamaol.com">george.fletcher@teamaol.com</a>
AOL Inc. Home: <a class="moz-txt-link-abbreviated" href="mailto:gffletch@aol.com">gffletch@aol.com</a>
Mobile: +1-703-462-3494 Blog: <a class="moz-txt-link-freetext" href="http://practicalid.blogspot.com">http://practicalid.blogspot.com</a>
Office: +1-703-265-2544 Twitter: <a class="moz-txt-link-freetext" href="http://twitter.com/gffletch">http://twitter.com/gffletch</a>
</pre>
</body>
</html>