[Openid-specs-ab] First version of OpenID Connect Lite spec ready for working group review

Johnny Bufu jbufu at janrain.com
Mon Aug 1 23:48:14 UTC 2011 

On 11-07-29 09:56 PM, Mike Jones wrote:
> Please give it a read!
> OpenID Connect Lite: http://openid.net/specs/openid-connect-lite-1_0.html

I gave it a read, here's my feedback:


3.1.1.  Client Prepares an Authorization Request

"when an Access Token for the UserInfo endpoint is being requested in 
addition to an ID Token"

How is an additional access token for the UserInfo endpoint requested, 
(and how is such a request omitted)? It's not clear whether including 
'token' in the response_type parameter is the way to signal it, or 
something else triggers this feature of the request.

Is 'callback' the authorization response? If yes, use the same term 
rather than an undefined, potentially confusing one.

The specific processing and behavior associated with each of the 
'display' parameter values is undefined, implementers are free to ignore 
them as far as the spec is concerned.

The specific processing and behavior associated with each of the 
'prompt' parameter values is undefined, implementers are free to ignore 
them as far as the spec is concerned.

As currently defined, the nonce does not fulfill its declared purpose of 
mitigating replay attacks in any way. The spec says which messages carry 
it, but does not say how and by whom verifications should be performed.

3.1.4.  Authorization Server Obtains the End-User Consent/Authorization

"the Authorization Server MUST obtain an authorization decision"

This is unachievable, the user cannot be forced to answer a question if 
they don't want to. The spec should explicitly define the (negative) 
authorization outcome in this case.

3.2.1.  Introspection Request

"ID Token obtained from an OpenID Connect authorization request"

- should it not say "authorization response"?
- authorization response (3.1.5.1) does not contain an ID Token either

How is the ID Token sent via the authorization header? id_token=<value>, 
just the value, or some other way?

3.2.2.  Introspection Response

Example request lists an access_token instead of an id_token parameter.

3.2.3.  Error Codes

invalid_access_token error code is defined, but an access token is not 
mentioned in 3.2.1 Introspection Request.

3.2.4.1.  Request Verification

"all required parameters are present and valid"

What are the rules for determining if each parameter value is valid or not?


Johnny

More information about the Openid-specs-ab mailing list