[Openid-specs-risc] bugs in oauth event types
phil.hunt at oracle.com
Thu Jul 12 20:08:43 UTC 2018
Regarding the OAuth-event-types spec,
Figures 3 and 4 example appears to be invalid. Token_identifier_alg in the examples are set to “token_string” which is not a valid value according to sec 2.1. Should these examples be “plain”?
The definitions need to fully define what is meant by “plain” or “token_string”. IOW I presume you mean a copy of the original token.
I would prefer fewer options to avoid need for discovery and negotiation of options. Otherwise everyone has to support everything.
I don’t see any security issue with just picking a single hash alg here. The goal is not security or privacy but simply to shrink the message size compared to sending the whole token.
To avoid optionality and create simplicity, I would prefer:
A. A specified has use to match tokens for all cases OR
B. A copy of the entire token as a string.
Oracle Corporation, Identity Cloud Services Architect
www.independentid.com <http://www.independentid.com/>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-risc