[Openid-specs-ab] openid connect specs review

Johnny Bufu jbufu at janrain.com
Thu Jul 7 18:07:20 UTC 2011 

Hi John,

On 11-07-06 08:30 PM, John Bradley wrote:
> Thanks for the feedback.

Found the Session Management spec which covers some of the questions I 
had about the ID Token, but is not linked from any of the documents I've 
explored previously - it should be referenced from Core, I think.

Following is a review of it.

Johnny

----------------------------------------------------------------

Session Management (draft 00 / June 29, 2011)

2. Terminology

Client definition overloaded, Core terminology already references OAuth.

Client Servlet is not defined.com

ID Token has two definitions.

3.  Session Management

"In addition, session management for fourth parties such as desktop, 
native or mobile applications that utilizes authorization server 
credentials at fourth party web sites are also supported."

Grammar needs to be fixed here. Semantic is unclear: who are the fourth 
parties - desktop/native/mobile apps, web sites mentioned later, both 
groups?

3.1.4.2.  Implicit Flow Response

"when response_type includes id_token, an ID Token MUST be returned in 
the response."

Where is the ID Token added? Query parameters or fragment?

The example includes the access token as a query parameter, contrary to 
the referenced OAuth 2.0 / Section 4.2.2 (which says it should be added 
to the fragment).

The example misses the required token_type parameter.

3.1.5.4.  Token Access Response

"The request format is defined in section 4.1.4 of the OAuth 2.0 
[OAuth2.0] specification."

Should say "response format".

3.1.6.1.  Browser Load

"The client servlet then gets an ID Token that is session synchronized 
with the authorization server."

"session synchronized" should link to the corresponding section (reading 
through this section I had no idea what was meant by it, or that an 
explanation was following).

Also consider moving the Session Synchronization up in the document.

The "session synchronized" attribute of the ID Token could be asserted 
by the OP and part of the ID Token (rather than requiring clients to 
keep track of it separately).

3.2.1.  Refresh Session

"In a typical HTTP binding, an HTTP 302 redirect to the specified 
redirect_uri in the request with a new ID Token."

Grammar needs to be checked (missing predicate).

How is the new ID Token returned? Added to the query parameters or 
fragment, or either?

----------------------------------------------------------------

More information about the Openid-specs-ab mailing list