[Openid-specs-ab] Issue #917: space is deliminator while also a legal character in client_id and session state (openid/connect)
Brian Campbell
issues-reply at bitbucket.org
Fri Feb 7 13:14:07 UTC 2014
New issue 917: space is deliminator while also a legal character in client_id and session state
https://bitbucket.org/openid/connect/issue/917/space-is-deliminator-while-also-a-legal
Brian Campbell:
The space character is used to concatenate/delimit client_id and session state in the postMessage data but is also a legal character in both of those values.
So it can't be used reliably to parse the two values apart unless additional constraints or assumptions are made about the content of client_id and/or session state.
IMHO, it should be fixed. But if not, it should at least be called out.
There's some discussion on the list (I'm filing this issue so it won't get lost):
http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20140203/004598.html
More information about the Openid-specs-ab
mailing list