[Openid-specs-mobile-profile] html version of the latest discovery draft

Torsten Lodderstedt torsten at lodderstedt.net
Sun Feb 15 15:33:15 UTC 2015

Hi John,

thank you for posting this version. Here are my comments:

section 2 - Overview

I think this section should describe the overall idea of the service. As 
far as I understand there are the following pillars:
(1) the interface is designed based on the OAuth flow. After having read 
this version, I'm not sure which endpoint will actually provide the 
discovery data to the client. Any new endpoint should be mentioned here 
as well.
- Some rationale why the discovery service's design is based on the 
OAuth protocol flow is needed as well. As far there are the following 
-- RPs shall not get access to the user's MSISDN (or other personal 
data). This is basically the reason to use a redirect based protocol, 
which allows the discovery services to ask the user for such data directly.
-- Countermeasures are needed in order to prevent open redirection.
(2) there is the new concept of a login_hint_token, it should be 
introduced here.
(3) in order to achieve the best possible user experience, the WG 
recommends to use the discovery service in conjunction with account 
chooser. This way the user's IDP data can be shared among RPs and there 
is no need to send her into the discovery process over and over again.

General questions:
a) What kind of apps do we want to address with the redirect-based 
protocol? The account chooser might work well for web app but is it the 
best solution for smartphone apps? I would assume OS-integrated account 
managers or a NAPPS-based solution would be more appropriate.
b) At least on Android devices, the app can query IMSI/MSISDN from the 
device (given the user consents). In this case, the app could directly 
send a POST-request to the discovery service and obtain the IDP metadata 
(without the need to kick off a browser and send it to the discovery 
service's HTML endpoint). I think this would result in an even better 
user experience and simpler integration, so I would suggest we support 
this flavour as well.

section 3 and 4

I was a bit suprised to read the AC description (in section 4) before 
the actual description of the discovery service (and I assume I won't be 
the only one). I suggest to swap 3 and 4 and describe the discovery 
protocol first.

I would encourage you to include examples of all protocol messages in 
this section.

section 4.2.

parameter mcc - why mcc only? Determining the MNO requires the mnc as well.

section 4.5

What is the discovery endpoint? Is it a modified authz/tokens endpoint 
or is it comparable to the user info endpoint? I'm asking because I 
don't understand whether the JWT is returned as a certain parameter or 
whether it is the body content of a response.

I feel text and example do not match in section 4.5. Based on the text I 
would assume, the result of the discovery endpoint requets is

    "user_iss": "https://discovery-provider.com",
    "login_hint_token": "i5555551212..."

where the login_hint_token contains the following JSON object:

    "iss": "https://discovery-provider.com",
    "aud": "https://babytel.com",
    "exp": 1311281970,
    "iat": 1311280970,
    "MSISDN": "1234567876543"
    "login_hint": "1234567876543"

Regarding the login_hint_token itself:

Why does it contain MSISDN and login_hint? I would assume login_hint is 
the super set of MSISDN.

What is the purpose for including MCC, MNC? They do not identify a 
certain access line/subscription (potentially user account) with the MNO.

some nits

section 1.2

The terms "primary token" and "secondary token" seem to be copied from a 
NAPPS spec?

section 2

Reated text "Overview." can be removed.

"OpenID Connect Clients using this specification are encouraged to use 
the OpenID Account chooser service."

I would suggest to a reference to the AC spec here (as this is the first 
time AC is mentioned).

best regards,

Am 11.02.2015 um 15:55 schrieb John Bradley:
> http://openid.bitbucket.org/draft-mobile-discovery-01.html
> The text and XML versions are at https://bitbucket.org/openid/mobile/src
> John B.
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20150215/c2b31771/attachment.html>

More information about the Openid-specs-mobile-profile mailing list