[OpenID] Comments on openid-igov-openid-connect-1_0 draft 02

Manger, James James.H.Manger at team.telstra.com
Fri Sep 1 01:51:43 UTC 2017 

Comments on “International Government Assurance Profile (iGov) for OpenID Connect 1.0 - Draft 02” http://openid.net/specs/openid-igov-openid-connect-1_0.html:

§3.1 “ID Tokens” Both examples are wrong.

*        The 1st example is missing a dot between the 2nd & 3rd segments of the JWT.
WRONG …MTJ9mQc0…
RIGHT  …MTJ9.mQc0…

*        The 1st segment decodes to {"alg":"RS256"}, which is inadequate. It at least needs a “kid” member.

*        The “iss” value in the base64url-encoding escapes “/” as “\/”, which unnecessary but allowed. However, when shown as JSON in the 2nd example the escaping is wrong.
WRONG  "iss": "https:\\/\\/idp-p.example.com\\/",
BEST        "iss": "https://idp-p.example.com/",
OKAY      "iss": "https:\/\/idp-p.example.com\/",

*        The JSON shows a "vot": "" member that is not present in the base64url-encoding. If “vot” was present, the text says “vtm” is REQUIRED.

*        §3.2 “UserInfo Endpoint” example Bearer token is wrong: dot is in the wrong place. Probably should be “…MTJ9.iHM…” instead of “…MTJ9i.HM…”.

*        §3.2 “UserInfo Endpoint” example “iss” is missing trailing “/”

*        §3.6 “Discovery” Text says the discovery doc MUST include a “vot” field, but no such field is in the example. And it would be more consistent with other members to label it, say, “vot_values_supported”.

Comments on “International Government Assurance Profile (iGov) for OAuth 2.0 - Draft 02” http://openid.net/specs/openid-igov-oauth2-1_0.html:


*        §2.1.1 “Requests to the Authorization Endpoint” says clients "MUST include their full redirect URIs in the authorization request", but the example doesn't include it. The example has client_id, nonce, response_type and scope parameters; not no redirect_uri.

*        §2.1.1 It should also be “URI” singular (not “URIs” plural) as though a client might have multiple URIs registered, it can only include 1 in any particular request.

*        §2.1.2 Example POST to /token doesn't include redirect_uri.

*        §4.2 typo "acceept" → "accept"

P.S. Apologies for a couple of incomplete previous emails. What I thought as a shortcut for § was treated as a shortcut for “Send” ; (

--
James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20170901/bc30853d/attachment.html>

More information about the general mailing list