[Openid-specs-ab] Some feedback on OpenID Connect spec family
andrewarnott at gmail.com
Wed Jul 13 13:41:19 UTC 2011
On Wed, Jul 13, 2011 at 6:32 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> On Wed, Jul 13, 2011 at 12:27 PM, Andrew Arnott <andrewarnott at gmail.com>wrote:
>> Some questions, or suggestions regarding the spec...
>> Section 4.
>> Why are UserInfo endpoint responses receivable in JSON? If it's to
>> "eval" to execute arbitrary code from an untrusted server. Query
>> string syntax would protect against this, and is at least as friendly
>> to web servers as JSON is.
> It was following OAuth's pattern of getting the response back in JSON
> as well as following Facebook Graph API.
> Perhaps it is better to define a Query string version of response for
> the implicit flow. Opinions? > Connectors.
> I don't know that having a key value form encoding of the User info
> endpoint response necessarily makes sense with some of the claims being JSON
> objects themselves.
> I suppose it is something that we could add as an option if someone can
> describe a serialization.
> The default response should remain JSON for the user Info endpoint.
If the default response should remain JSON, are we going to have in the
NOT call the UserInfo endpoint and execute its results to deserialize the
JSON objects? Do you agree that would be dangerous?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab