[Openid-specs-ab] session management: space is deliminator while also a legal character in client_id

Brian Campbell bcampbell at pingidentity.com
Tue Feb 4 17:59:57 UTC 2014 

Session state (defined as a "JSON
string"<http://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdatingSessions>)
can have spaces as well.

Yes, there are ways to work around it given knowledge of the client id and
session state values, which are (mostly) at the discretion of the OP.

Seems less than ideal that the spec would sometimes require special
handling to extract the two values out of the postMessage data. But yeah,
if it's going to stay that way, I'd say it's worth calling out and
explaining.

Was there a reason the two values weren't mashed together using JSON or
whatever?





On Tue, Feb 4, 2014 at 8:47 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> Yes that would be a problem.  The example in 4.2 should probably be doing
> a slice(0, lastIndexOf(' ')) rather than a split(' ').
>
> Or whatever the correct JS syntax is to split on the rightmost ' '.
> Having spaces in the client ID is not ideal, but it is not the end of the
> world as long as there are no spaces in the session state.
>
> In principal as the client_id is issued by the AS it would know if split('
> ') is safe to use.
>
> Worth calling out though.
>
> On Feb 4, 2014, at 12:28 PM, Brian Campbell <bcampbell at pingidentity.com>
> wrote:
>
> In 4.1 of Session Management
> <http://openid.net/specs/openid-connect-session-1_0.html#RPiframe>"The
> postMessage from the RP iframe delivers the following concatenation as the
> data: *Client ID + " " + Session State*" and 4.2 the OP has to
>
> Wouldn't that break for client ids that contain spaces, when in section
> 4.2 <http://openid.net/specs/openid-connect-session-1_0.html#OPiframe>,
> the OP attempts to parse those two items out from the data (and yes, spaces
> are allowed per the client_id ABNF in RFC 6749<http://tools.ietf.org/html/rfc6749#appendix-A.1>
> )?
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140204/afb776a6/attachment.html>

More information about the Openid-specs-ab mailing list