[Openid-specs-ab] Draft 13 of Artifact Binding

Nat sakimura at gmail.com
Thu Sep 30 00:40:15 UTC 2010


Thanks. I got it in. 

=nat @ Washington D.C. via iPhone

On 2010/09/29, at 20:26, Ryo Ito <ritou.06 at gmail.com> wrote:

> OAuth core spec has no server identifier.
> 
> 
> So, my idea has additional parameter or uses state param as "OP Identifier".
> 
> 
> Ryo.
> 
> 2010/9/30, Nat Sakimura <sakimura at gmail.com>:
>> Actually, I think I now understood what you mean.
>> It is in RC1 now.
>> 
>> On Thu, Sep 30, 2010 at 3:24 AM, Nat Sakimura <sakimura at gmail.com> wrote:
>> 
>>> Ryo-
>>> 
>>> One question. What do you mean by "-  RP MUST include a state parameter in
>>> 8.3 Request by all means" ?
>>> 
>>> =nat
>>> 
>>> On Sat, Sep 18, 2010 at 2:11 AM, Ryo Ito <ritou.06 at gmail.com> wrote:
>>> 
>>>> Hi Nat,
>>>> 
>>>> I'm sorry for late response.
>>>> 
>>>> (1) 7.4.1.  Obtaining bearer token 'client_secret'
>>>> 
>>>> Most OP will display an AuthN/AuthZ page on HTTPS.
>>>> The client_icon which RP registers should be HTTPS image.
>>>> 
>>>> (2) 8.4.1.  End-user Grants Authorization
>>>> 
>>>> I think that it is difficult for RP to understand which OP sent this
>>>> response.
>>>> 
>>>> The following limitation may solve this problem.
>>>> -  OP MUST include server_id in 8.4.1 Response
>>>> -  RP MUST include a state parameter in 8.3 Request by all means
>>>> 
>>>> (3) 8.6.1.  Positive Assertion
>>>> 
>>>> Please add OAuth Response Parameters to sample response.
>>>> 
>>>> ===
>>>> Example:
>>>> 
>>>> {
>>>>   "openid": {
>>>>       "type": "http://openid.net/specs/ab/1.0#id_res",
>>>>       "mode": "id_res",
>>>>       "server_id": "https://op.example.com/",
>>>>       "pubkey": "CSqGSIb3DQEBBQ...22WLTnPvcztaqovGW2gaidAyq6",
>>>>       "request_url": "https://rp.example.com/rf.js%23Qfsoe2F",
>>>>       "op_endpoint": "https://op.example.com/op_endpoint",
>>>>       "claimed_id": "https://example.com/alice#1234",
>>>>       "identity": "alice",
>>>>       "user_id": "https://op.example.com/a3flsjeow1234",
>>>>       "issued_at": 1280217103,
>>>>       "client_id": "https://rp.example.com/"
>>>>   }
>>>>   "access_token":"SlAV32hkKG",
>>>>   "expires_in":3600,
>>>>   "refresh_token":"8xLOxBtZp8"
>>>> }
>>>> ===
>>>> 
>>>> Thanks,
>>>> Ryo
>>>> 
>>>> 2010/8/9 Nat Sakimura <sakimura at gmail.com>:
>>>>> Hopefully, it is close to the final. Please review carefully, by the
>>>>> end of the week.
>>>>> That will be the final edit before I submit it for the public comment.
>>>>> 
>>>>> Changes:
>>>>> =========
>>>>> * Name scoped openid variables into openid key in JSON.
>>>>> * changed variable names according to the changes between OAuth draft
>>>>> 9 and 7. (e.g., redirect_url -> redirect_uri) . Also, added some
>>>>> variable added in draft 9.
>>>>> * Added IANA consideration.
>>>>> * Added some text to the Security Consideration. Added timing attack.
>>>>> * Changed pubkey from base64url encoded PEM to that of DER.
>>>>> * Misc editorial.
>>>>> 
>>>>> 
>>>>> 
>>>>> --
>>>>> Nat Sakimura (=nat)
>>>>> http://www.sakimura.org/en/
>>>>> http://twitter.com/_nat_en
>>>>> 
>>>>> _______________________________________________
>>>>> Openid-specs-ab mailing list
>>>>> Openid-specs-ab at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>> 
>>>>> 
>>>> --
>>>> ====================
>>>> Ryo Ito
>>>> Email : ritou.06 at gmail.com
>>>> ====================
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> Nat Sakimura (=nat)
>>> http://www.sakimura.org/en/
>>> http://twitter.com/_nat_en
>>> 
>> 
>> 
>> 
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> http://twitter.com/_nat_en
>> 
> 
> 
> -- 
> ====================
> Ryo Ito
> Email : ritou.06 at gmail.com
> ====================


More information about the Openid-specs-ab mailing list