[Openid-specs-ab] openid connect specs review

Johnny Bufu jbufu at janrain.com
Mon Jul 11 18:04:25 UTC 2011


Thanks George, a few comments below:

On 11-07-11 09:33 AM, George Fletcher wrote:
> On 7/6/11 8:29 PM, Johnny Bufu wrote:
>> 2.1.  Requests
>>
>> What constitutes a (valid) schema name that MAY be used?
> The only "valid" schema name defined in this spec is "openid". The text
> regarding the 'schema' parameter explicitly states that the only
> predefined value is "openid". Do you think that addition text is needed
> to make this clear?

As a client, I was looking to understand where I get other schema 
definitions from; as a sever, I would be interested how other schemas 
are defined. But I suppose it's also fine if UserInfo leaves them out of 
scope.

>> What's the difference between the terms "schema" and "format" in the
>> context of the UserInfo specification? They seem to be used
>> interchangeably - if there is no difference and neither is formally
>> defined, I suggest using the more generic "format" term.
> So in reading draft 04, it seems to me that schema means the format of
> the data being returned (meaning which fields) while format is
> identifying the "encoding" of the data (e.g. JSON, JWT, XML, etc). I
> changed one format to schema but left the others.
>
> I added schema and format as terms defined in the Terminology section.
> This may be a little much:)

I find these useful.

>> "RESERVED" is capitalized but not defined by RFC2119; capitalization
>> suggest specially defined meaning. I suggest it shouldn't be
>> capitalized if there is no special meaning defined elsewhere.
> Changed this to OPTIONAL. If we've defined RESERVED somewhere else I can
> copy it to the userinfo spec.

My guess is that RESERVED was probably meant to be more restrictive than 
OPTIONAL. OPTIONAL is the equivalent of MAY, RESTRICTED was perhaps 
intended as "SHOULD NOT"?

With OPTIONAL I think more specification is required: what's the value 
(pointer to the previous specification?), when and how will it be used?

>> 2.2.  Responses
>>
>> "See the OpenID Connect Core [OpenID.CC] specification on how to
>> request a different format."
>>
>> Core doesn't define UserInfo response formats.
> I'm assuming this will be addressed in Core.

That works, but then defining format should be removed from the scope of 
the UserInfo spec - abstract states that it "describes the schema and 
format returned by the UserInfo endpoint"


Thanks!
Johnny


More information about the Openid-specs-ab mailing list