[Openid-specs-mobile-profile] Question on proposals to pass user_id/user_id_type

hubert.mariotte at orange.com hubert.mariotte at orange.com
Fri Nov 22 17:09:28 UTC 2019

Dear all

There are currently discussions regarding the use of a non-tied-to-a-user access token to access an API called ATP (Account Take over Protection) in the Mobile Connect context. That API was specified time ago as a GET request to be used just with tied-to-a-user access tokens and has already been implemented and deployed by some.
Today User Questioning allows the use of non-tied-to-a-user access tokens. In this case, the user_id and user_id_type are passed in the body request (embedded in a json) using a POST command. For ATP, in case of non-tied-to-a-user access token, the proposal is to pass the user_id (and also probably user_id_type) in a HTTP header respecting the command of the current API (GET in this case).
We would like to get your opinion on the two options from a general point of view (security, performances, complexity, usage, usability, ...). Also, if you would consider both options acceptable, despite the differences and the drawbacks they might have :
*         user_id passed in a json in the body
*         user_id passed in a HTTP header
Our next call on this subject is during the week 49 and we would appreciate an answer before.



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20191122/394a9e17/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list