[Openid-specs-mobile-profile] Mobile Profile parameters

John Bradley ve7jtb at ve7jtb.com
Tue Apr 7 13:32:47 UTC 2015

nonce and state are opaque to the AS and required for the AS to support now.

Forcing a client to send them may not achieve anything if the client sticks some static value in them to fulfill the spec.
Teaching clients to use them properly to protect themselves is more important.

We debated making nonce required for code, but decided that there were sufficient protections by validating the redirect_uri at the token endpoint.

max_age is probably a bad thing to force clients to send.  It will end in tears because clients will not understand what it means and cause a bad user experience.

sending prompt every-time will also have bad user experience consequences,  mostly you don't want to send it unless you really want something other than the default of prompting the user only if they need to re-auth, or not prompt, 
and return an error to the client if they need to re-auth (this allows a background check in a iframe). 

Forcing the client to request a acr if it is willing to take anything also seems a bit misguided.

So I would say that who ever came up with that has a limited understanding of Connect.

John B.
> On Apr 7, 2015, at 1:59 AM, GONZALO FERNANDEZ RODRIGUEZ <gonzalo.fernandezrodriguez at telefonica.com> wrote:
> Hi Guys,
> I have been reviewing the Mobile Connect Profile doc released by the GSMA. There are some parameters in the authentication request, id_token and userinfo that have changed their use from optional to recommend or mandatory (These cases are showed in green). I don't think it is a problem to turn an optional parameter into mandatory in responses (id_token or userinfo), but I would like to highlight the cases where the spec says that the parameters are optional in the authentication request and the Mobile Profile says that they are mandatory, because I think they break the backward compatibility of the OIDC servers unless we can to differentiate the mobile profile requests from the other requests.
> -------------------          ---------------------
>      ------------------------
> state Recommended
> Mandatory
> nonce Recommended
> Mandatory
> prompt Recommended
> Mandatory
> max_age Recommended
> Mandatory
> acr_values Recommended
> Mandatory
> I understand that state and nonce offer and added value from the point of view of security, however I don't see the benefit of the acr_values as mandatory parameter.
> Best,
> Gonza.
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
> The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
> _______________________________________________
> Openid-specs-mobile-profile mailing list
> Openid-specs-mobile-profile at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20150407/07b0a65e/attachment.html>

More information about the Openid-specs-mobile-profile mailing list