[Openid-specs-ab] Feedback: Basic Client 1.0 draft 12

Thu Sep 8 18:45:29 UTC 2011

Here is my review of the Basic Client doc, draft 12:  My first thought is
that this is a *really* readable document.    Congratulations on keeping
things simple, and creating a document flow that is simple and
straightforward.

Most of my comments are typos and definitions - the only serious question I
have about the underlying meaning/content of a section is in section 4.
 As much as the Check Session endpoint is all about the currently
authenticated user,   I think that the User Info endpoint needs to serve
profile information for the lifetime of the access token, not just the
lifetime of the initial session.  Perhaps I'm just misinterpreting?

Thanks,

Pamela

Introduction:

*text*:  "OpenID Connect Basic Client is a profile of the full OpenID
Connect 1.0 Specification that is designed to be easy to read and implement
for Relying Parties"
*comment*:   Are we saying that in OpenID Connect,  Relying Parties and
Clients are the same thing?

Section 2: Terminology

   - The following terms are used but not defined in either Basic Client or
   in the referred OAuth 2.0 spec:
      - Identity Provider
      - Relying Party
      - User-Agent
      - Assertion

Section 3: Protocol Flows

   - text:   "Clients wanting to use the code flow and Identity Providers
   should consult the full OpenID 1.0 specification"
   - comment:  can we point to a specific document where the code flow is
   described?  Standard perhaps?

Section 3.2.1: Client Prepares an Authorization Request

   - scope parameter:
      - definition of scope should not start with "It".
      - suggestion:  replace "It MUST include openid as one of the space
      separated strings" with "Scope MUST include openid as one of the space
      separated strings"
   - redirect_uri parameter:
      - typo: missing a closing parenthesis
   - prompt parameter:
      - need a reference to the OpenID Connect document where login,
      consent, and select_account are defined.
   - typo:   "Authorization servers MUST support" should be "Authorization
   Servers MUST support"

Section 3.3: Check Session Endpoint

   - typo in the end of the first sentence:   id-token should be replaced
   with id_token

Section 4: UserInfo Endpoint

   - text: "The id_token and Check Session Endpoint MUST be used to validate
   the identity of a session"
   - comment:  Is this meant to say that the User Info endpoint can only be
   used when a user has a valid session?   What happens if the client has a
   valid access token but the session has expired?   Should the User Info
   endpoint refuse to serve the data?
   - I think that there are many situations where information about the user
   needs to be retrieved without an active session.  If we want to
   differentiate between "information about the (this moment) authenticated
   user" and "information about the owner of the supplied access token", we
   need to be much clearer.

Section 6: Security Considerations:

   - We have a whole bunch of sections about security considerations of
   assertions - but nowhere in the implicit flow are assertions mentioned.  Is
   the id_token an assertion?  If so we should say so.  If not, we should
   define what exactly is.
   - Suggest putting all the assertion threats together, ie section 6.1.1,
   6.1.2, etc

Section 6.9: Availability

   - Which server is "the server"?  Which server is the "web server"?  And
   why is the client allowing the USER to associate multiple servers?
   Generally the user has nothing to do with redundancy.... This section is not
   helpful as written.

-- 
*Pamela Dingle*  |  Sr. Technical Architect
*Ping**Identity*  |   www.pingidentity.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- -
*O:* 303-999-5890   *M:* 303-999-5890
*Email:* pdingle at pingidentity.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- -
*Connect with Ping*
Twitter: @pingidentity
LinkedIn Group: Ping's Identity Cloud
Facebook.com/pingidentitypage
*Connect with me*
Twitter: @pamelarosiedee
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110908/769dd29e/attachment.html>