[Openid-specs-ab] Comment on Messages

Sat Sep 3 04:34:59 UTC 2011

While I sympathise with the need for flexibility, for the interoperability,
profiling narrowly would be a good thing.

As to the criticism [1], I would not actually care. It is just the matter of
using signed and possibly encrypted JWT as access_token if you wanted more
security. The initial request should be 'request' parameter, which is again
a signed and possibly encrypted JWT. The HTTP authorization scheme still can
be bearer.

OAuth 2.0 resource access can be similarly covered.
Instead of using query parameters as the request parameters, sending Signed
JWT would solve it.

=nat

2011/9/2 Andreas Åkre Solberg <andreas.solberg at uninett.no>

> In the Messages document:
>
> This specification further constrains that only Bearer Tokens<http://openid.net/specs/openid-connect-messages-1_0.html#OAuth.2.0.Bearer> [OAuth.2.0.Bearer]
> are issued at the Token endpoint. The OAuth 2.0 response parameter "
> token_type" MUST be set to "Bearer".
>
>
> First, I would say that even if I think it is OK to use bearer tokens, I
> would strongly advise to not restrict the types of tokens to this particular
> type for all future use. Bearer is criticized a lot [1].
>
> Second, if you restrict the type of token to bearer, you can save the
> effort of defining the JWT token type in the 'Standards' document.
>
> [1]:
> http://hueniverse.com/2010/09/oauth-2-0-without-signatures-is-bad-for-the-web/
>
>
> Also, the example in sect 6.1 uses access_token, while I think it should be
> bearer_token.
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>

-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110903/93598c4e/attachment.html>