[Openid-specs-ab] Redirect URL or URI?
Mike Jones
Michael.Jones at microsoft.com
Thu Jul 28 23:39:07 UTC 2011
Another question from the call: Is there some circumstance in which the redirect URL can actually be an URN, rather than a URL? In that case, Casper's proposed change of redirect_url to redirect_uri would make sense. But if it can only be a URL, it doesn't. (Yes, OAuth called it a URI, but in the OpenID specs, we've tried to be consistent in naming things that can only be URLs URL, versus things that can be URNs URIs.)
Thanks again,
-- Mike
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
Sent: Thursday, July 28, 2011 3:53 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Spec call notes 28-Jul-11
Spec call notes 28-Jul-11
Mike Jones
John Bradley
Edmund Jay
Nat Sakimura
Johnny Bufu
Agenda:
Specific questions about spec features
audience parameter in request
nonce parameter in request
req -> request in OAuth request
Can a redirect_url be a redirect URI?
Editing updates
IPR Contribution Agreements
audience parameter in request
A bad RP could put in someone else's audience
Do we not pass it and have audience constructed out of return_to?
Edmund thought this had to do with input from Breno about native clients
We don't have enough information to use it properly - will remove unless clarified
nonce parameter in request
Should RP supply a nonce or just request that a nonce be used?
John asked what the difference between nonce and state is
Edmund thought that this was something specific to Facebook
Nat pointed out that we haven't said anything about processing rules for the nonce
Other than that the value is returned in id_token
No rule about verifying nonce, at present
John will look at the Facebook documentation and investigate their usage
If not required for the Lite spec, it should probably be removed there
req -> request in OAuth HTTP request
We agreed to make this change
Can a redirect_url be a redirect URI?
We think no
This is separate from the js_origin_url
(The js_origin_url may not use an http scheme, but is still a redirect target)
Nat wondered whether he wanted to change the name just to be closer to OAuth
Editing updates
Mike has reviewed Casper's edits and is ready to check them in, modulo the discussions above
John has the Lite spec down to about 15 pages including Security Considerations
This includes id_token
Without security considerations and references is 10 pages, including 1.5 pages of index
Or roughly 8 pages of spec material
John reverted the text to use the name "Introspection Endpoint"
John asked whether we should copy the relevant portions of the Discovery spec into Lite
We agreed no, saying that Discovery is optional and could be replaced by manual configuration
Besides producing Lite, we also need to produce:
Standard
Messages (Core and Framework)
Already have:
Discovery
Registration
Session Management
Lite is pared down to the world view of an RP
Compliance for IdPs may be different for IdPs than for RPs
IdPs should support code and token flows but RPs can just support token
Say this in a conformance section in Standard
IPR Contribution Agreements
Nat will review the list archives and produce a list of people we need IPR agreements from
We should not go to an implementer's draft until we have the appropriate agreements in place
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110728/a3f22466/attachment.html>
More information about the Openid-specs-ab
mailing list