[Openid-specs-ab] Developer Feedback

Johnny Bufu jbufu at janrain.com
Mon Jul 11 20:05:17 UTC 2011


On 11-07-11 10:16 AM, Nat Sakimura wrote:
> 1. We should make sure to place HTTP Redirect Binding as the Center Piece.
>     This actually is the confusion that even Breno was falling into. He
> was thinking that Core was something to be implemented.
>     It is not. It is the HTTP Redirect Binding that the developers
> should read. We may want to rename it to something more
>     attractive and feel as the main spec. (Perhaps rename core as
> "Messages" and let the HTTP Binding assume the name
> "Core" etc.?)

I too feel that the current number of separate documents makes it harder 
to get the big picture, even though I like modular specs. I guess the 
modularization is not laid out in a way that's easy to get. For example:

- The separation between what is an "abstract" message and what a 
binding is required/allowed to define is not very clear.

- ID Tokens are needed, one way or another (JWT encoded or not) to 
complete a full OpenID-Connect authentication. I'd rather learn about 
them from Core.

- UserInfo endpoint seems to be covered by both UserInfo and Framework 
specs.

> 2. Short names are unpopular.
[...]
> Here are my suggestions:
> inf -> userinfo
> idt -> id_token
> clm -> claims
> fmt -> format
> mxa -> max_age
> eaa -> iso29115
> nor -> unsigned
> sig -> signed
> enc -> encrypted
> aat -> auth_time
> loc -> locale
> opt -> optional

+1 if there's no clear technical reason that prevents using these 
slightly longer names.

Johnny


More information about the Openid-specs-ab mailing list