[Openid-specs-ab] session management: space is deliminator while also a legal character in client_id
John Bradley
ve7jtb at ve7jtb.com
Tue Feb 4 15:47:30 UTC 2014
Yes that would be a problem. The example in 4.2 should probably be doing a slice(0, lastIndexOf(' ')) rather than a split(' ').
Or whatever the correct JS syntax is to split on the rightmost ' '. Having spaces in the client ID is not ideal, but it is not the end of the world as long as there are no spaces in the session state.
In principal as the client_id is issued by the AS it would know if split(' ') is safe to use.
Worth calling out though.
On Feb 4, 2014, at 12:28 PM, Brian Campbell <bcampbell at pingidentity.com> wrote:
> In 4.1 of Session Management "The postMessage from the RP iframe delivers the following concatenation as the data: Client ID + " " + Session State" and 4.2 the OP has to
>
> Wouldn't that break for client ids that contain spaces, when in section 4.2, the OP attempts to parse those two items out from the data (and yes, spaces are allowed per the client_id ABNF in RFC 6749)?
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140204/af640d38/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140204/af640d38/attachment.p7s>
More information about the Openid-specs-ab
mailing list