[Code] Discussion continuation of AppAuth-JS PR #67

Chinthaka Senanayaka senanayakachinthaka at gmail.com
Mon Aug 20 06:27:45 UTC 2018 

Hi,

Anybody to respond to these questions?

On Fri, Aug 10, 2018 at 4:50 PM Chinthaka Senanayaka <
senanayakachinthaka at gmail.com> wrote:

> Hi,
>
> AppAuth-JS PR #67 <https://github.com/openid/AppAuth-JS/pull/67> was
> closed with some comments and I think the code is still useful for the
> community. And we may take initiative for the extension library development
> in the future for non core OIDC (OpenID Connect) functionalities.
>
> We can contribute to the AppAuth-JS to have functionality aligning the
> OIDC spec.
>
> I have some questions to clarify.
>
> Q1. As of core OIDC spec, we can add userInfo route
> <http://openid.net/specs/openid-connect-core-1_0.html#UserInfo> the AppAuth-JS
> library <https://github.com/openid/AppAuth-JS>. So, I have given on #67
> PR an optional method to the library which is beneficial for you. Are you
> good with this? If not please inform the alternative way of you
> architectural roadmap that you already have for the OIDC, may be I can
> contribute that. But I still think the implementation of userInfo route
> code is useful. Then I can send a separate PR only with the changes for
> userInfo.
>
> Moreover, As of PR #67 <https://github.com/openid/AppAuth-JS/pull/67>
> seems you want to follow Oauth2, but this AppAuth-JS is about OpenID
> Connect I think and it is listed under https://github.com/openid/* OpenID
> Foundation. So, userInfo functionality should lie under the AppAuth-JS
> library. So, I see contradiction here.
>
> Q2. What is your architectural approach for OIDC logout (end session
> route)? As of draft OIDC spec, there should be a logout implementation
> <http://openid.net/specs/openid-connect-session-1_0.html#RPLogout>. In PR
> #67 <https://github.com/openid/AppAuth-JS/pull/67> I have added OIDC
> logout, since it is not in the core OIDC spec, we can move it to the
> extension library as well. Or else, since it is in OIDC spec draft, I can
> send it as a separate PR. So, what is the future architectural move for
> this draft OIDC end session spec?
>
> Q3. PKCE for web clients: As of the AppAuth-JS PR #28
> <https://github.com/openid/AppAuth-JS/issues/28> we can move with
> authorization request field extras. But does that cover enough scope of Oauth2
> PKCE spec <https://tools.ietf.org/html/rfc7636#section-1> by the OpenID
> Connect Foundation's AppAuth-JS library? If an Appauth-JS user app should
> generate PKCE verifier and challenge, PKCE spec is not fully covered under
> this library, it flows to the user's code and it can be duplicated. What I
> can suggest is, we can give the verifier and challenge generated and added
> to the token request only if user code does not send those fields via
> extras. What do you think on this?
>
> Q4. I assume WebCrypto means window.crypto here in Javascript (it is not
> explained in the PR #67 properly because webcrypto-npm
> <https://www.npmjs.com/package/webcrypto>, window.crypto and webcrypto
> <https://developer.mozilla.org/en-US/docs/Web/API/Web_Crypto_API> exist).
> I saw node_support but using window.crypto will not work with NodeJs. I saw
> AppAuth-JS has used a workaround in crypto_utils.ts
> <https://github.com/openid/AppAuth-JS/blob/master/src/crypto_utils.ts>
> line 29. For node support, it is like reinventing the wheel by not using an
> existing crypto library. But still I can send you a separate PR, if you
> clearly explain the architectural requirement because this is not related
> to any concerns with OIDC spec or Oauth2 spec.
>
> If there are any unclear points made by me, let me know.
>
> --
> Chinthaka Senanayaka
> Mobile: +94 77 11 99 603
> LinkedIn <https://lk.linkedin.com/in/csenanayaka>
>


-- 
It is all about attitude. Always trust yourself and be confident.

W. Chinthaka Senanayaka
Tech. Lead at WSO2 Inc.
MBA CMet UK (2015)
BSc (Hon's) in MIT, UoK, SL (2011)
JEE6WCDCE (2016), OCPJ6P (2015)
Mobile: +94 77 11 99 603
LinkedIn <https://lk.linkedin.com/in/csenanayaka>, Blogger
<http://chinthakasenanayaka.blogspot.com/>, Facebook
<https://www.facebook.com/ChinthakaSenanayaka>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-code/attachments/20180820/a9cd66f8/attachment.html>

More information about the Code mailing list