[Openid-specs-ab] iss typos
Manger, James
James.H.Manger at team.telstra.com
Wed Mar 4 03:18:25 UTC 2015
OpenID Connect Core 1.0<http://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedValidation> §7.5 "Self-Issued ID Token Validation" has a typo in point 1. It says the "iss" value MUST be
https://self-isued.me
but it should actually be
https://self-issued.me
It is an annoying typo as there are two "MUST"s referring to this precise spelling.
The spec also has 4 example "iss" values that are wrong because they are http, not https. §A.2, §A.3, §A.4, and §A.6 (examples using various response_type values) have
"iss": "http://server.example.com"
which needs to be
"iss": "https://server.example.com"
P.S. I was trying to pick some sizes for various tokens. RFC 6819 "OAuth 2.0 Security" has a generic suggestion of >= 128-bits. The OpenID Connect spec, however, has lots of examples of 60-bit (10 b64 chars) code, client_secret, access_token, and refresh_token values, and only slightly longer sample state and nonce values.
--
James Manger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150304/b765e26d/attachment.html>
More information about the Openid-specs-ab
mailing list