[Openid-specs-ab] UserInfo endpoint comments
George Fletcher
gffletch at aol.com
Tue Jun 28 17:06:28 UTC 2011
Hi,
I noticed that the user info endpoint requires the token to be passed in
the access_token parameter. Is there a reason this endpoint isn't a full
OAuth2 endpoing? Should the endpoint allow the access_token to be
specified in the HTTP Authorization header? The spec currently doesn't
define error responses, etc. I think it would be valuable to just say
the endpoint is an OAuth2 compatible endpoint and we can then leverage
all the error flows from the OAuth2 spec.
I'm also assuming that the user info endpoint allows both GET and POST
but only over SSL. It might be good clarify that as well.
Thanks,
George
--
Chief Architect AIM: gffletch
Identity Services Engineering Work: george.fletcher at teamaol.com
AOL Inc. Home: gffletch at aol.com
Mobile: +1-703-462-3494 Blog: http://practicalid.blogspot.com
Office: +1-703-265-2544 Twitter: http://twitter.com/gffletch
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110628/b8fe53c6/attachment.html>
More information about the Openid-specs-ab
mailing list