[Openid-specs-ab] Little more feedback

Breno de Medeiros breno at google.com
Tue Jul 12 18:28:39 UTC 2011

On Tue, Jul 12, 2011 at 11:25, Nat Sakimura <sakimura at gmail.com> wrote:
> Breno,
> On Wed, Jul 13, 2011 at 2:45 AM, Breno de Medeiros <breno at google.com> wrote:
>> >>
>> >> In general, I agree that the short names are confusing for beginners or
>> >> people trying to discern meaning only from code.  I found the specs
>> >> very
>> >> easy to read and understand, but tough to know whether some pieces were
>> >> required to be developed or just optional.
>> >> For example:  Core section 4 (Serialization) states that messages can
>> >> be
>> >> serialized in either format (JSON or Query String) unless expressly
>> >> forbidden on a per-message basis -- but nothing in section 4 answers
>> >> the
>> >> question of whether or not an implementer is required to support both
>> >> serializations to be conformant, or whether they can only support one.
>> >
>> > Actually, "core", which is likely to be called something like "Connect
>> > Messages" are just listing all the possible variations on messages as a
>> > reference, so it does not say anything about conformance. It should be
>> > defined in the "Bindings" such as "OpenID Connect (was: HTTP Redirect
>> > Binding)".
>> >>
>> >> Another example is ID Token - it appeared in the session and userinfo
>> >> specs but not in the core, http binding, or framework spec (unless I
>> >> missed
>> >> it).
>> >
>> > Things were separated out due to some request from the community member,
>> > but
>> > it proves to be more confusing than not. I suggest re-combining "core"
>> > and
>> > "framework" and call it "Connect Messages".
>> I don't think there's agreement in our group to do so. All the
> No. That is why I have not touch the specs in this respect yet.
> As far as I remember, it was the decision of the WG to wait the
> reorganization until we finish the current pass of the spec review.
> The files that I sent earlier and is attaching now has not done anything wrt
> this.
> (Just to make note of, I have not done any edit wrt the comment you made as
> George is working on it. )
> However, it does not preclude a parallel discussion of the possible
> reorganization.
> Current state is that George suggested a reorganization, and Pam, John,
> Johnny, and me +1ed.
> Pam further suggested to call the entire suite as Framework, and Johnny
> +1ed, but Tony -1ed.
>> feedback we get from developers is contrary to this.
> So they like the current organization?
>> The reason things are confusing right now has to do with the fact that
>> the spec has been refactored many times and the writing did not keep
>> up well. We need to fix the writing, not merge specs when we have
>> evidence it will be damaging to the message of
>> simplicity+extensibility we want to convey.
> Could you kindly explain the evidence so that I can understand better?

We have consistent feedback that the core should be: (1) an HTTP
binding; (2) contain only the minimum necessary to create an SSO

That means (according to common agreement in yesterday's call) how to
express the most basic of OpenIDConnect requests and how to use the
retrieved oauth2 token to obtain an audience-restricted statement of
user id.

I maintain that nothing else should be in the core.

>> --
>> --Breno
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en


More information about the Openid-specs-ab mailing list