[Openid-specs-native-apps] AppInfo endpoint

Paul Madsen paul.madsen at gmail.com
Mon Sep 29 23:35:25 UTC 2014


my point was that if the AS knew the user wasnt authorized for any apps, 
it wouldnt give the TA any tokens.

If it did indeed give the TA an access token, then is it not fair to 
presume that the AppInfo will include at least one app?

paul

On 9/29/14, 7:29 PM, John Bradley wrote:
> Inline
> On Sep 29, 2014, at 8:09 PM, Paul Madsen <paul.madsen at gmail.com 
> <mailto:paul.madsen at gmail.com>> wrote:
>
>> inline
>> On 9/29/14, 3:03 PM, John Bradley wrote:
>>> Inline
>>> On Sep 29, 2014, at 1:23 PM, Emily Xu <exu at vmware.com 
>>> <mailto:exu at vmware.com>> wrote:
>>>
>>>> I have a couple of questions related to NAPPS AppInfo endpoint.
>>>>
>>>> 1. In Section 7.2.1, it says "Access Token obtained from an OpenID 
>>>> Connect Authorization Request". I assume it means the access_token 
>>>> should contain "openid" in scope. Is it correct?
>>>
>>> The format of access tokens issued by the Authorization endpoint for 
>>> the AppInfo endpoint is unspecified, as the AppInfo endpoint and the 
>>> AS are tightly related and the tokens are opaque to the client.
>>>
>>> The Authorization request MUST have "openid" in the scopes 
>>> requested.  It is however up to the AS to decide if that needs to be 
>>> indicated in the access token.
>>>
>>>>
>>>> 2. In Section 7.2.2, it says
>>>>  "apps
>>>> REQUIRED (Array). One or more JSON objects containing claims about 
>>>> applications that the /TA/ can provide tokens or web boot-stap uri 
>>>> for."
>>>>
>>>> Any reason it must be "One or more" instead of "Zero or more"? If 
>>>> there is zero app authorized for this particular user, what the 
>>>> response should be?
>>>
>>> OK Good point if there are no apps then it would be an empty array. 
>>>   I suspect that was a hold over from the TA validating the bundleid 
>>> directly as the TA woulden't have had much to do with zero apps.
>> if the user is authorized for *no* apps, then why would the AS return 
>> tokens to the TA in the first place?
>
> The AS wouldn't
>
> The problem was that the Appinfo endpoint description of the list of 
> apps implied that there would be at least one in the array.
>
> There might be zero apps listed for the TA.
>
> Also because an app is listed in the app_info endpoint, doesn't 
> guarantee that the AS will issue a token at any particular point in time.
>
> The TA can try to get a token from the AS anyway, by sending the bundleID.
>
>
> John B.
>>>
>>> I will make that change.
>>>
>>> John B.
>>>>
>>>> Thanks,
>>>> Emily
>>>> _______________________________________________
>>>> Openid-specs-native-apps mailing list
>>>> Openid-specs-native-apps at lists.openid.net 
>>>> <mailto:Openid-specs-native-apps at lists.openid.net>
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-native-apps
>>>
>>>
>>>
>>> _______________________________________________
>>> Openid-specs-native-apps mailing list
>>> Openid-specs-native-apps at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-native-apps
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20140929/cafe54a5/attachment.html>


More information about the Openid-specs-native-apps mailing list