[Openid-specs-ab] Messages -15 RC: what to do malformed or ambiguous requests?
Brian Campbell
bcampbell at pingidentity.com
Fri Jan 25 21:54:28 UTC 2013
There are a number of possible combinations of parameters that seem (at
least to me) like they might be considered malformed or ambiguous. A few
examples are listed below but there are other combinations, usually where
what's requested by the response type is somehow misaligned with what's
requested via scope. The messages spec gives some guidance, for example
around scope in 2.4 and the openid scope value in 2.4 but it's still not
entirely clear what the expected behavior is for these kind of things. I
know this question, or variations on it, have come up before but I don't
know that an answer was ever settled on. And it's still not clear to me
from reading RC/-15.
Is there a general expectation of behavior around this kind of thing?
Should the AS just make a best effort? Or should it return errors to the
client? Or something else? Even if the specs decide to leave it entirely up
to the implementations, I think it'd be useful to say as much.
Some example combinations of response_type and scope that I don't know what
to do with:
response_type=token
scope=openid
response_type=id_token
scope=openid profile email address
response_type=code
scope=profile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130125/c99ec26d/attachment.html>
More information about the Openid-specs-ab
mailing list