[Openid-specs-ab] Connect Question: Variable "signed" in the response
hideki nara
hdknr at ic-tact.co.jp
Thu Jan 6 07:55:15 UTC 2011
access_token is enough.
If the other token format than JWT can be allowed, we need some way
to negotiate.
"code" looks like an artifact. But if tokens are forced to be in
self-describing forms, "code" seems to be ok.
---
hdknr
2011/1/6 Breno de Medeiros <breno at google.com>:
> +1
> Everything about the response content should be signed. It just makes things
> simpler to process.
>
> On Wed, Jan 5, 2011 at 02:40, Nat Sakimura <sakimura at gmail.com> wrote:
>>
>> Hi.
>> The current openidconnect.com page has a variable "signed" in the
>> response.
>> It is a new variable which is not present in the current OAuth draft.
>> The "signed" includes access_token and user_id among other things. It
>> probably should be a JWT.
>> Should we continue to use "signed" or other variable name?
>> The reason why I am asking this are:
>> 1. It looks a lot like a structured "code" or "access_token". Perhaps
>> should we call it "access_token" (or "code") instead?
>> 2. If we are to introduce a new variable, "signed" seem to be a little too
>> generic. Is there a better name for it? (Perhaps "openid"?)
>>
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> http://twitter.com/_nat_en
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
>
>
> --
> --Breno
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
More information about the Openid-specs-ab
mailing list