[Openid-specs-igov] iGov Notes
Justin Richer
jricher at mit.edu
Tue Jul 11 15:59:18 UTC 2017
I spent some time reading through the documents and had a few comments:
OAuth:
- §2.1.3 should come earlier in the document, maybe even as its own upper-level section such as §2.1, shifting everything else down
- §2.1.3.3 prohibits use of implicit or browser based clients, but other parts of the document reference these flows. Also this paragraph is very long and detailed for something that’s prohibited.
- §2.1.5 says that all clients must have keys until the end where it says one exception. This can probably be rearranged to be more clear.
- §3.3 should mention PKCE parameters
- §3.6 is about protected resource and should go under §4 someplace
OIDC:
- §2.1 “prompt” parameter with a single value is overly restrictive, requirement should be removed or justified (I suggest removed — it’s not explained and I don’t see a good reason for it anyway)
- §3.1 should more strongly encourage subject to be pairwise, with a forward note to privacy considerations
- §3.1 optionality of nonce is not specified
- §3.6 vot discovery claim is unspecified. Suggest that we include and reference trustmark claims from VoT section 6
- §4.2 The scopes and their resulting claims need more explanation and examples. We need a data model and schema. If someone asks for “bio” do I respond with:
“height”: “5’11”
or
“height”: 180
or
“tallness”: true
- §5 the last paragraph needs to be removed or rewritten. Here we just want to justify why pairwise is a good idea — so explain that, don’t add more non-requirements.
— Justin
More information about the Openid-specs-igov
mailing list