[PROPOSAL] bare response / bare request

Kevin Turner kevin at janrain.com
Fri Oct 6 22:25:05 UTC 2006


On Tue, 2006-10-03 at 19:42 -0700, Dick Hardt wrote:
> On 2-Oct-06, at 12:34 PM, Kevin Turner wrote:
> > On Sat, 2006-09-30 at 20:09 -0400, Dick Hardt wrote:
> >> Motivating Use Case
> >> ----------------------------
> >> The IdP would like to allow the user to click a link on the IdP to
> >> login to an RP. This requires a bare response to be able to be sent.
> >
> > How will RPs that customarily use a request nonce treat this?
> 
> There will not be a request nonce -- could have the IdP say "none"

Implications of this:

1) RPs must always accept messages without a request nonce.

2) RPs must always accept messages at the same return_to URL.

which also means

3) RPs must never put nonces or (other tokens that will become invalid)
in the return_to, because if they did the IdP would not recognize it as
a nonce and remove it.


Are these things all okay?  I'm not sure if they really break stuff, but
that puts a lot more restrictions on the return_to than I really feel
comfortable with.  And quite possibly takes a lot of the utility out of
request nonces.





More information about the specs mailing list