[OpenID] Comments on openid-igov-openid-connect-1_0 draft 02
Manger, James
James.H.Manger at team.telstra.com
Fri Sep 1 01:51:43 UTC 2017
Comments on “International Government Assurance Profile (iGov) for OpenID Connect 1.0 - Draft 02” http://openid.net/specs/openid-igov-openid-connect-1_0.html:
§3.1 “ID Tokens” Both examples are wrong.
* The 1st example is missing a dot between the 2nd & 3rd segments of the JWT.
WRONG …MTJ9mQc0…
RIGHT …MTJ9.mQc0…
* The 1st segment decodes to {"alg":"RS256"}, which is inadequate. It at least needs a “kid” member.
* The “iss” value in the base64url-encoding escapes “/” as “\/”, which unnecessary but allowed. However, when shown as JSON in the 2nd example the escaping is wrong.
WRONG "iss": "https:\\/\\/idp-p.example.com\\/",
BEST "iss": "https://idp-p.example.com/",
OKAY "iss": "https:\/\/idp-p.example.com\/",
* The JSON shows a "vot": "" member that is not present in the base64url-encoding. If “vot” was present, the text says “vtm” is REQUIRED.
* §3.2 “UserInfo Endpoint” example Bearer token is wrong: dot is in the wrong place. Probably should be “…MTJ9.iHM…” instead of “…MTJ9i.HM…”.
* §3.2 “UserInfo Endpoint” example “iss” is missing trailing “/”
* §3.6 “Discovery” Text says the discovery doc MUST include a “vot” field, but no such field is in the example. And it would be more consistent with other members to label it, say, “vot_values_supported”.
Comments on “International Government Assurance Profile (iGov) for OAuth 2.0 - Draft 02” http://openid.net/specs/openid-igov-oauth2-1_0.html:
* §2.1.1 “Requests to the Authorization Endpoint” says clients "MUST include their full redirect URIs in the authorization request", but the example doesn't include it. The example has client_id, nonce, response_type and scope parameters; not no redirect_uri.
* §2.1.1 It should also be “URI” singular (not “URIs” plural) as though a client might have multiple URIs registered, it can only include 1 in any particular request.
* §2.1.2 Example POST to /token doesn't include redirect_uri.
* §4.2 typo "acceept" → "accept"
P.S. Apologies for a couple of incomplete previous emails. What I thought as a shortcut for § was treated as a shortcut for “Send” ; (
--
James Manger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20170901/bc30853d/attachment.html>
More information about the general
mailing list