[Openid-specs-ab] Some feedback on OpenID Connect spec family

Breno de Medeiros breno at google.com
Wed Jul 13 18:10:10 UTC 2011


On Wed, Jul 13, 2011 at 07:40, Andrew Arnott <andrewarnott at gmail.com> wrote:
> I'm glad to hear there are safe ways to parse JSON.  Perhaps pointing this
> out in the security considerations section is all that is necessary.

+1

Agree it is an important security topic to discuss, but would prefer
not to add support for alternative format to JSON since JSON is so
baked-in into OAuth2.

> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
>
>
> On Wed, Jul 13, 2011 at 7:06 AM, Nat Sakimura <sakimura at gmail.com> wrote:
>>
>>
>> On Wed, Jul 13, 2011 at 10:41 PM, Andrew Arnott <andrewarnott at gmail.com>
>> wrote:
>>>
>>> On Wed, Jul 13, 2011 at 6:32 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>>>
>>>> On Wed, Jul 13, 2011 at 12:27 PM, Andrew Arnott <andrewarnott at gmail.com>
>>>> wrote:
>>>>>
>>>>> Some questions, or suggestions regarding the spec...
>>>>>
>>>>> Core
>>>>> Section 4.
>>>>> Why are UserInfo endpoint responses receivable in JSON?  If it's to
>>>>> make javascript client code easier, then you're encouraging using
>>>>> "eval" to execute arbitrary code from an untrusted server.  Query
>>>>> string syntax would protect against this, and is at least as friendly
>>>>> to web servers as JSON is.
>>>>
>>>> It was following OAuth's pattern of getting the response back in JSON
>>>> as well as following Facebook Graph API.
>>>> Perhaps it is better to define a Query string version of response for
>>>> the implicit flow. Opinions? > Connectors.
>>>>
>>>> I don't know that having a key value form encoding of the User info
>>>> endpoint response necessarily makes sense with some of the claims being JSON
>>>> objects themselves.
>>>> I suppose it is something that we could add as an option if someone can
>>>> describe a serialization.
>>>> The default response should remain JSON for the user Info endpoint.
>>>
>>> If the default response should remain JSON, are we going to have in the
>>> security section a comment saying RPs running as Javascript clients SHOULD
>>> NOT call the UserInfo endpoint and execute its results to deserialize the
>>> JSON objects?  Do you agree that would be dangerous?
>>
>> Yes. Use json_parse.js or json-sans-eval like JSON parser which does not
>> do eval.
>>
>>
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> http://twitter.com/_nat_en
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>



-- 
--Breno


More information about the Openid-specs-ab mailing list