[Openid-specs-ab] Handling OpenID request objects
Vladimir Dzhuvinov / NimbusDS
vladimir at nimbusds.com
Wed Apr 11 08:59:53 UTC 2012
Hi guys,
Two questions came up when implementing the IdP logic to handle OpenID
request objects:
Q1: Is it correct that the request object must always include
"response_type" and "scope"? If the request object is found to be not
exactly according to the spec, should we continue or return error?
Q2: How should the server act when there is a mismatch between a
parameter in the Authz request and the request object, e.g. "state"?
http://openid.net/specs/openid-connect-standard-1_0-09.html#req_param_method
says
"All [...] parameters MUST also be JSON Serialized into the OpenID
Request Object with the same values."
whereas
http://openid.net/specs/openid-connect-messages-1_0-09.html#OpenID_Request_Object
says
"If the same parameters are present both in the Authorization Request
and in the OpenID Request Object, the latter takes precedence."
Vladimir
--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
More information about the Openid-specs-ab
mailing list