[Openid-specs-ab] Issue #962: "NOT FOUND" special value for openid2_id looks dangerous (openid/connect)
James Manger
issues-reply at bitbucket.org
Mon Nov 3 00:57:20 UTC 2014
New issue 962: "NOT FOUND" special value for openid2_id looks dangerous
https://bitbucket.org/openid/connect/issue/962/not-found-special-value-for-openid2_id
James Manger:
Section 4.1.2. "No Associated OpenID 2.0 Identifier Found" says a special value "NOT FOUND" should be used in the openid2_id member. This feels dangerous and unnecessary. It is dangerous as in all other situations the openid2_id value is assumed to be an unambiguous account identifier. I can imagine code assuming openid2_id is unambiguous and being tricked into thinking all transactions with "NOT FOUND" refer to the same account.
Omitting the openid2_id member when there is no proper value seems like the most sensible solution. If an explicitly indication of no OpenID 2.0 identifier is really required a different member name could be defined (eg "no_openid2_id":true).
More information about the Openid-specs-ab
mailing list