[PROPOSAL] bare response / bare request
Kevin Turner
kevin at janrain.com
Fri Oct 6 22:25:05 UTC 2006
On Tue, 2006-10-03 at 19:42 -0700, Dick Hardt wrote:
> On 2-Oct-06, at 12:34 PM, Kevin Turner wrote:
> > On Sat, 2006-09-30 at 20:09 -0400, Dick Hardt wrote:
> >> Motivating Use Case
> >> ----------------------------
> >> The IdP would like to allow the user to click a link on the IdP to
> >> login to an RP. This requires a bare response to be able to be sent.
> >
> > How will RPs that customarily use a request nonce treat this?
>
> There will not be a request nonce -- could have the IdP say "none"
Implications of this:
1) RPs must always accept messages without a request nonce.
2) RPs must always accept messages at the same return_to URL.
which also means
3) RPs must never put nonces or (other tokens that will become invalid)
in the return_to, because if they did the IdP would not recognize it as
a nonce and remove it.
Are these things all okay? I'm not sure if they really break stuff, but
that puts a lot more restrictions on the return_to than I really feel
comfortable with. And quite possibly takes a lot of the utility out of
request nonces.
More information about the specs
mailing list