[Openid-specs-ab] Draft 13 of Artifact Binding

Ryo Ito ritou.06 at gmail.com
Thu Sep 30 00:26:37 UTC 2010


OAuth core spec has no server identifier.


So, my idea has additional parameter or uses state param as "OP Identifier".


Ryo.

2010/9/30, Nat Sakimura <sakimura at gmail.com>:
> Actually, I think I now understood what you mean.
> It is in RC1 now.
>
> On Thu, Sep 30, 2010 at 3:24 AM, Nat Sakimura <sakimura at gmail.com> wrote:
>
>> Ryo-
>>
>> One question. What do you mean by "-  RP MUST include a state parameter in
>> 8.3 Request by all means" ?
>>
>> =nat
>>
>> On Sat, Sep 18, 2010 at 2:11 AM, Ryo Ito <ritou.06 at gmail.com> wrote:
>>
>>> Hi Nat,
>>>
>>> I'm sorry for late response.
>>>
>>> (1) 7.4.1.  Obtaining bearer token 'client_secret'
>>>
>>> Most OP will display an AuthN/AuthZ page on HTTPS.
>>> The client_icon which RP registers should be HTTPS image.
>>>
>>> (2) 8.4.1.  End-user Grants Authorization
>>>
>>> I think that it is difficult for RP to understand which OP sent this
>>> response.
>>>
>>> The following limitation may solve this problem.
>>> -  OP MUST include server_id in 8.4.1 Response
>>> -  RP MUST include a state parameter in 8.3 Request by all means
>>>
>>> (3) 8.6.1.  Positive Assertion
>>>
>>> Please add OAuth Response Parameters to sample response.
>>>
>>> ===
>>> Example:
>>>
>>> {
>>>    "openid": {
>>>        "type": "http://openid.net/specs/ab/1.0#id_res",
>>>        "mode": "id_res",
>>>        "server_id": "https://op.example.com/",
>>>        "pubkey": "CSqGSIb3DQEBBQ...22WLTnPvcztaqovGW2gaidAyq6",
>>>        "request_url": "https://rp.example.com/rf.js%23Qfsoe2F",
>>>        "op_endpoint": "https://op.example.com/op_endpoint",
>>>        "claimed_id": "https://example.com/alice#1234",
>>>        "identity": "alice",
>>>        "user_id": "https://op.example.com/a3flsjeow1234",
>>>        "issued_at": 1280217103,
>>>        "client_id": "https://rp.example.com/"
>>>    }
>>>    "access_token":"SlAV32hkKG",
>>>    "expires_in":3600,
>>>    "refresh_token":"8xLOxBtZp8"
>>> }
>>> ===
>>>
>>> Thanks,
>>> Ryo
>>>
>>> 2010/8/9 Nat Sakimura <sakimura at gmail.com>:
>>> > Hopefully, it is close to the final. Please review carefully, by the
>>> > end of the week.
>>> > That will be the final edit before I submit it for the public comment.
>>> >
>>> > Changes:
>>> > =========
>>> > * Name scoped openid variables into openid key in JSON.
>>> > * changed variable names according to the changes between OAuth draft
>>> > 9 and 7. (e.g., redirect_url -> redirect_uri) . Also, added some
>>> > variable added in draft 9.
>>> > * Added IANA consideration.
>>> > * Added some text to the Security Consideration. Added timing attack.
>>> > * Changed pubkey from base64url encoded PEM to that of DER.
>>> > * Misc editorial.
>>> >
>>> >
>>> >
>>> > --
>>> > Nat Sakimura (=nat)
>>> > http://www.sakimura.org/en/
>>> > http://twitter.com/_nat_en
>>> >
>>> > _______________________________________________
>>> > Openid-specs-ab mailing list
>>> > Openid-specs-ab at lists.openid.net
>>> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>> >
>>> >
>>> --
>>> ====================
>>> Ryo Ito
>>> Email : ritou.06 at gmail.com
>>> ====================
>>>
>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> http://twitter.com/_nat_en
>>
>
>
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
>


-- 
====================
Ryo Ito
Email : ritou.06 at gmail.com
====================


More information about the Openid-specs-ab mailing list