[Openid-specs-ab] Comments on the OpenID Connect Standard spec 1.0 draft 4
Edmund Jay
ejay at mgi1.com
Tue Sep 20 18:19:22 UTC 2011
The query parameters need to be sent even when "request" parameter is sent
because the request needs to conform to OAuth specs.
The "request" parameter is an extension parameter used for creating more complex
requests and as a way to sign/encrypt the request. Therefore the query
parameters need to be present in the "request" object also and will take
precedence.
________________________________
From: Roland Hedberg <roland.hedberg at adm.umu.se>
To: George Fletcher <gffletch at aol.com>
Cc: "openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>
Sent: Mon, September 19, 2011 11:49:53 PM
Subject: Re: [Openid-specs-ab] Comments on the OpenID Connect Standard spec 1.0
draft 4
20 sep 2011 kl. 03:37 skrev George Fletcher:
>
> * Section 4.1.1.2
>
> The second paragraph says that parameters specified in the "OpenID Request
>Object" take precedence over query parameters. Yet the non-normative example,
>shows the same parameter in both the query string and the OpenID Request Object.
>Given that the Request Object takes precedence, isn't just the request object
>enough? So the last example in section 4.1.1.2 could be...
>
>https://server.example.com/authorize?request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtx
>x
>dDMiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvY2xpZW50LmV4YW1wbGUuY29tXC9jYiIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUiLCJzd
>GF0ZSI6ImFmMGlmanNsZGtqIiwidXNlcmluZm8iOnsiY2xhaW1zIjp7Im5hbWUiOm51bGwsIm5pY2tuYW1lIjp7Im9wdGlvbmFsIjp0cnVlfS
>S
>wiZW1haWwiOm51bGwsInZlcmlmaWVkIjpudWxsLCJwaWN0dXJlIjp7Im9wdGlvbmFsIjp0cnVlfX0sImZvcm1hdCI6InNpZ25lZCJ9LCJpZF9
>0b2tlbiI6eyJtYXhfYWdlIjo4NjQwMCwiaXNvMjkxMTUiOiIyIn19.2OiqRgrbrHkA1FZ5p_7bc_RSdTbH-wo_Agk-ZRpD3wY
>Y
>
I went through the same reasoning but I came out the other end with the idea
that the parameters that matter, those you want to sign, they should be in the
request JWT and those that isn't vital (are there any such) could be in the
query string.
Anyway I also see no reason for parameters to be in both.
> * Section 4.1.4.1
>
> This probably isn't an issue, but ensuring the entire URL does not exceed 512
>bytes, requires both the AS and the Client to work together. If the client has a
>really large state value, and the AS has a large code value, the combined length
>could be greater than 512.
Agreed, a bad behaved client can make it impossible for a server to construct
URLs shorter then 512 bytes.
-- Roland
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110920/f2dc217f/attachment.html>
More information about the Openid-specs-ab
mailing list