[Openid-specs-ab] Connect Question: Variable "signed" in the response
David Recordon
dr at fb.com
Wed Jan 5 18:16:51 UTC 2011
On 1/5/11 2:40 AM, "Nat Sakimura" <sakimura at gmail.com<mailto:sakimura at gmail.com>> wrote:
Hi.
The current openidconnect.com<http://openidconnect.com> page has a variable "signed" in the response.
It is a new variable which is not present in the current OAuth draft.
The "signed" includes access_token and user_id among other things. It probably should be a JWT.
Yeah, it should be a signed JWT. I spec'd it out before JWT was really concrete. I believe the key names would largely remain the same.
Should we continue to use "signed" or other variable name?
Chose `signed` because the OAuth response contains some of these same parameters (e.g. `access_token`) in an unsigned form. Calling it signed makes it really clear to the developer that this is signed data and they should be verifying the signature.
I don't think we should call it `access_token` or `code` especially since an access token is contained within it.
I'm not strongly against calling it `openid` but also not convinced that it's necessary.
The reason why I am asking this are:
1. It looks a lot like a structured "code" or "access_token". Perhaps should we call it "access_token" (or "code") instead?
2. If we are to introduce a new variable, "signed" seem to be a little too generic. Is there a better name for it? (Perhaps "openid"?)
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110105/232edcb0/attachment.html>
More information about the Openid-specs-ab
mailing list