[Openid-specs-ab] Initiating User Registration via OpenID Connect spec draft published
George Fletcher
gffletch at aol.com
Tue Aug 6 15:28:54 UTC 2019
Thanks so much for the feedback. Duly noted for the next draft :)
On 8/6/19 9:30 AM, Filip Skokan wrote:
> And some nits around the examples
>
> - Figure 1 and 2 examples are not `openid` requests (missing scope
> "openid")
> - Figure 1 is not an OpenID Connect response_type (token)
> - I think these figures can be reduced down to one, regular code flow
> with openid scope.
>
> Best,
> *Filip Skokan*
>
>
> On Tue, 6 Aug 2019 at 15:23, Filip Skokan <panva.ip at gmail.com
> <mailto:panva.ip at gmail.com>> wrote:
>
> Hello George, everyone,
>
> Thank you for this note, I agree this hint is useful, regardless
> of the form or shape it takes - a new parameter or prompt value.
>
> a couple points from my side
>
> For authorization requests sent as a JWTs, such as when using
> JWT Secured Authorization Request, a single prompt parameter
> value is represented as a JSON string *while multiple values
> are represented as an array of strings.*
>
>
> Aside from `resource` which is a parameter that can be passed
> multiple times all parameters (with maybe claims as an exception)
> should be passed as JSON primitives such as string (scope,
> client_id, ...) or number (max_age) inside Request Objects. We
> could propose an errata on the specific parameter handling inside
> Core but I think the interoperable behaviour we have today is that
> parameters such as scope or prompt that regularly get values as
> space-delimited string of values are passed the same way in a
> Request Object. As mentioned the only exception is `claims` which
> makes sense to pass as a JSON object and `resource` which is
> allowed to be passed multiple times e.g.
> `&resource=urn:example:foo&resource=urn:example:foo2`.
>
> If the OpenID Provider fails to parse the provided value(s) it
> should ignore the prompt parameter value and proceed as if the
> prompt parameter was not specified.
>
>
> At the moment I believe it's up to each implementer to either be
> strict in checking supported `prompt` values or lax and simply
> ignoring unsupported values. I think this would be worth
> clarifying in Core, since this and possible future `prompt` values
> may have behaviours tied to them and ignoring a provided but not
> supported prompt value could lead to confusion.
>
> I'd like to propose that the draft focuses on the actual new value
> and its semantics and strays away from defining new authorization
> request and request object processing rules of existing parameters.
>
> Best,
> *Filip Skokan*
>
>
> On Tue, 6 Aug 2019 at 14:47, George Fletcher via Openid-specs-ab
> <openid-specs-ab at lists.openid.net
> <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
> The Initiating User Registration via OpenID Connect draft has
> been
> published here:
>
> https://openid.net/specs/openid-connect-prompt-create-1_0.html
>
> This very simple extension to the prompt parameter allows the
> client to
> indicate to the OpenID Provider that the user requested to be
> sent
> through the registeration/signup flow rather than be shown the
> authentication screen and have to find the "create new
> account" option.
>
> Feedback greatly appreciated!
>
> Thanks,
> George
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
--
Identity Standards Architect
Verizon Media Work: george.fletcher at oath.com
Mobile: +1-703-462-3494 Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544 Photos: http://georgefletcher.photography
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190806/cdd6b501/attachment.html>
More information about the Openid-specs-ab
mailing list