[Openid-specs-ab] Spec call notes 31-May-11

Mike Jones Michael.Jones at microsoft.com
Tue May 31 23:18:19 UTC 2011 

(Special Tuesday call today because US Memorial Day was yesterday)

John Bradley
Mike Jones
Edmund Jay
Breno de Medeiros
Nat Sakimura

John talked about his e-mail 5/29/11 e-mail: "Implicit grant".  The problem is that there is no audience restriction in implicit grant - problem with eliminating OpenID Token.  This allows any RP to use the token to impersonate you at any other RP!  (The same security hole is present in Facebook Connect.)  Implementing Breno's proposed TokenInfo endpoint is one way of closing this hole.

Breno asked whether we want to revisit the JWT decision to use short names and whether we want to perhaps document both long and short names for the JWT claims.  Mike pointed out that people are already using the existing names and that having two names for the same thing is almost always an interoperability disaster.

Breno asked whether we want to change the parameter name from "openid" to something indicating the format of the token - for instance JWT and unsigned formats.  The type name should include a version number, enabling the format to be revised.  For instance, "connect1.0".  Breno wants the token format to be moved outside the core spec.  He said that RPs could then work without understanding the token content by using an RPC mechanism.  This would allow Facebook to be compliant with the core spec without supporting a new token format.

This can be interoperable in the following way:  If an IdP receives a request for a token format that it doesn't understand, it just doesn't return it.  Then the RP can fall back to an RPC using the TokenInfo endpoint.

The MIME Type will be used to disambiguate response types, rather than sniffing the content (as was the case in Mike's write-up during the EIC).

Breno had talked with Facebook last week about the UserInfo endpoint schema.  They prefer something using names with underscores and lowercase rather than camelCase.  He will send notes on their preferred field names to the list.  Meanwhile Edmund has written up a schema spec capturing the schema decisions at IIW based on a subset of Portable Contacts.  We expect a productive discussion on the list and during the next call about these choices.

                                                            -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110531/8b77c162/attachment.html>

More information about the Openid-specs-ab mailing list