[Openid-specs-ab] Little more feedback
pdingle at pingidentity.com
Mon Jul 11 22:44:54 UTC 2011
I've been going through the specs as well to try to draw up the summary
page, here are a few inconsistencies I've noted, hopefully they aren't
duplicates to what has been brought up before, I have tried to remove any
- Claims Provider is used in the definition of Claims but is not itself
defined or used anywhere else in this doc
- User Info Endpoint is defined but the others are not (you find the
definitions in other documents, but since most people will read core first,
I think having them in core is important)
- Section 3.1.1 (ID Token) - in the definition of scope, the word
"string" should be plural
- Section 3.1.2 (Authorization Response)
- most of this section describes how response_type should be
formatted, but response_type isn't actually a query string element in the
chosen example. Suggest to do an example of both a request containing
response_type and the subsequent redirection
- there is a description of what response_type="none" but no
description of what happens if there is no response type in the
this is because response_type is declared as required in some
other spec, we
should put a reference to that location in (or else redundantly
response_type is a required parameter).
- Section 3 only mentions that one item - the Java Origin of the Issuer -
must be returned. Section 4 says Issuer ID was discovered in the previous
section - does that mean that Issuer ID == Java Origin?
- Section 4.2 - the term eaa is not defined in the document and only
mentioned in shorthand on one line.
- Suggest that this line in the table
- eaa_supported | string | A comma separated list of the eaa that
this server supports
- Becomes this line:
- eaa_supported | string | A comma separated list of the "entity
authentication assurance" levels that this server supports [OpenID.CF]
- section 2.2 - the description of "must return a subset" and "may return
additional attributes" seems to conflict to me.
- Why does the ID Token have a claim of pape when eaa is used everywhere
else? Seems inconsistent
In general, I agree that the short names are confusing for beginners or
people trying to discern meaning only from code. I found the specs very
easy to read and understand, but tough to know whether some pieces were
required to be developed or just optional.
For example: Core section 4 (Serialization) states that messages can be
serialized in either format (JSON or Query String) unless expressly
forbidden on a per-message basis -- but nothing in section 4 answers the
question of whether or not an implementer is required to support both
serializations to be conformant, or whether they can only support one.
Another example is ID Token - it appeared in the session and userinfo specs
but not in the core, http binding, or framework spec (unless I missed it).
Hopefully this is useful,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab