[Openid-specs-ab] openid connect specs review

Johnny Bufu jbufu at janrain.com
Thu Jul 7 19:53:14 UTC 2011 

Here's the feedback I have for the Discovery draft.

Johnny

----------------------------------------------------------------
Discovery (draft 01 / July 4, 2011)

2.  Terminology

Core and OAuth 2.0 terminology is not referenced; this seems 
intentional, since many terms are re-defined, however not as thoroughly. 
Why isn't Discovery referencing them from the other specs?

Authorization Server is not defined.

Unique identifiers are mentioned, however the scope within which they 
are/should be unique is not specified.

The term Principal is overloaded:
   "human resource owner" in Terminology
   "identifier of the target end user" in Provider Discovery

3.  Provider Discovery

"Provider discovery is optional, If a RP knows through an out of band 
mechinisim that all identifiers containing particular have the same 
issuer then they can ship this step and procede to Section 4."

It's not clear what is meant by "identifiers containing particular".

Typos: mechinisim -> mechanism, ship -> skip, procede -> proceed

"Provider discovery Simple Web Discovery requires the following 
information to make a discovery request:"

Sentence seems to have two subjects.

"What MUST be returned in the response is the Java origin of the Issuer."

What is a Java origin?

3.1.  Identifier Normalization

The purpose and output of normalization should be made clear here 
(extract principal and host), rather than in the middle of a paragraph 
in the previous section.

"The user identifier can be one of the following: <list>"

This is underspecified: unclear if the list if complete, or what else 
can qualify as an identifier.

Terminology and Provider Discovery operate with generic identifiers, 
normalization provides a list for what can be a "user" identifier - is 
this intentional?

3.1.3.  URL

"If the URL does not have a "http" or "https" scheme, the string 
"https://" is prefixed to the URL."

How is it determined that a scheme-less identifier is a URL? Terminology 
defines URL identifiers as either HTTP or HTTPS URIs.

4.  Provider Configuration Information

It is unclear if what's described in this section is optional or not:
   "This step is optional."
   "OpenID providers MUST make available a JSON document
    at the path .well-known/openid-configuration."

"Using the Issuer ID discoverd in Section 3"

Issuer ID is not mentioned at all in Section 3.

typos: discoverd -> discovered, retreved -> retrieved

4.2.  Provider Configuration Response

typo: neccicary -> necessary

----------------------------------------------------------------

More information about the Openid-specs-ab mailing list