[Openid-specs-risc] bugs in oauth event types

Phil Hunt phil.hunt at oracle.com
Thu Jul 12 20:08:43 UTC 2018

Regarding the OAuth-event-types spec,

Figures 3 and 4 example appears to be invalid. Token_identifier_alg in the examples are set to “token_string” which is not a valid value according to sec 2.1.  Should these examples be “plain”?

The definitions need to fully define what is meant by “plain” or “token_string”.  IOW I presume you mean a copy of the original token.

I would prefer fewer options to avoid need for discovery and negotiation of options.  Otherwise everyone has to support everything.

I don’t see any security issue with just picking a single hash alg here. The goal is not security or privacy but simply to shrink the message size compared to sending the whole token.

To avoid optionality and create simplicity, I would prefer:

A.  A specified has use to match tokens for all cases  OR
B.  A copy of the entire token as a string.


Oracle Corporation, Identity Cloud Services Architect
www.independentid.com <http://www.independentid.com/>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20180712/2365875a/attachment.html>

More information about the Openid-specs-risc mailing list