[Openid-specs-ab] Some feedback on OpenID Connect spec family
Mike Jones
Michael.Jones at microsoft.com
Wed Jul 13 18:33:54 UTC 2011
Agreed. One of the principles of this work has been that all data structures use JSON representations.
-- Mike
-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Breno de Medeiros
Sent: Wednesday, July 13, 2011 11:10 AM
To: Andrew Arnott
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Some feedback on OpenID Connect spec family
On Wed, Jul 13, 2011 at 07:40, Andrew Arnott <andrewarnott at gmail.com> wrote:
> I'm glad to hear there are safe ways to parse JSON. Perhaps pointing
> this out in the security considerations section is all that is necessary.
+1
Agree it is an important security topic to discuss, but would prefer not to add support for alternative format to JSON since JSON is so baked-in into OAuth2.
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the
> death your right to say it." - S. G. Tallentyre
>
>
> On Wed, Jul 13, 2011 at 7:06 AM, Nat Sakimura <sakimura at gmail.com> wrote:
>>
>>
>> On Wed, Jul 13, 2011 at 10:41 PM, Andrew Arnott
>> <andrewarnott at gmail.com>
>> wrote:
>>>
>>> On Wed, Jul 13, 2011 at 6:32 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>>>
>>>> On Wed, Jul 13, 2011 at 12:27 PM, Andrew Arnott
>>>> <andrewarnott at gmail.com>
>>>> wrote:
>>>>>
>>>>> Some questions, or suggestions regarding the spec...
>>>>>
>>>>> Core
>>>>> Section 4.
>>>>> Why are UserInfo endpoint responses receivable in JSON? If it's
>>>>> to make javascript client code easier, then you're encouraging
>>>>> using "eval" to execute arbitrary code from an untrusted server.
>>>>> Query string syntax would protect against this, and is at least as
>>>>> friendly to web servers as JSON is.
>>>>
>>>> It was following OAuth's pattern of getting the response back in
>>>> JSON as well as following Facebook Graph API.
>>>> Perhaps it is better to define a Query string version of response
>>>> for the implicit flow. Opinions? > Connectors.
>>>>
>>>> I don't know that having a key value form encoding of the User info
>>>> endpoint response necessarily makes sense with some of the claims
>>>> being JSON objects themselves.
>>>> I suppose it is something that we could add as an option if someone
>>>> can describe a serialization.
>>>> The default response should remain JSON for the user Info endpoint.
>>>
>>> If the default response should remain JSON, are we going to have in
>>> the security section a comment saying RPs running as Javascript
>>> clients SHOULD NOT call the UserInfo endpoint and execute its
>>> results to deserialize the JSON objects? Do you agree that would be dangerous?
>>
>> Yes. Use json_parse.js or json-sans-eval like JSON parser which does
>> not do eval.
>>
>>
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> http://twitter.com/_nat_en
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
--
--Breno
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list