[Openid-specs-ab] Some feedback on OpenID Connect spec family

Breno de Medeiros breno at google.com
Wed Jul 13 18:10:10 UTC 2011

On Wed, Jul 13, 2011 at 07:40, Andrew Arnott <andrewarnott at gmail.com> wrote:
> I'm glad to hear there are safe ways to parse JSON.  Perhaps pointing this
> out in the security considerations section is all that is necessary.


Agree it is an important security topic to discuss, but would prefer
not to add support for alternative format to JSON since JSON is so
baked-in into OAuth2.

> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the death
> your right to say it." - S. G. Tallentyre
> On Wed, Jul 13, 2011 at 7:06 AM, Nat Sakimura <sakimura at gmail.com> wrote:
>> On Wed, Jul 13, 2011 at 10:41 PM, Andrew Arnott <andrewarnott at gmail.com>
>> wrote:
>>> On Wed, Jul 13, 2011 at 6:32 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>>> On Wed, Jul 13, 2011 at 12:27 PM, Andrew Arnott <andrewarnott at gmail.com>
>>>> wrote:
>>>>> Some questions, or suggestions regarding the spec...
>>>>> Core
>>>>> Section 4.
>>>>> Why are UserInfo endpoint responses receivable in JSON?  If it's to
>>>>> make javascript client code easier, then you're encouraging using
>>>>> "eval" to execute arbitrary code from an untrusted server.  Query
>>>>> string syntax would protect against this, and is at least as friendly
>>>>> to web servers as JSON is.
>>>> It was following OAuth's pattern of getting the response back in JSON
>>>> as well as following Facebook Graph API.
>>>> Perhaps it is better to define a Query string version of response for
>>>> the implicit flow. Opinions? > Connectors.
>>>> I don't know that having a key value form encoding of the User info
>>>> endpoint response necessarily makes sense with some of the claims being JSON
>>>> objects themselves.
>>>> I suppose it is something that we could add as an option if someone can
>>>> describe a serialization.
>>>> The default response should remain JSON for the user Info endpoint.
>>> If the default response should remain JSON, are we going to have in the
>>> security section a comment saying RPs running as Javascript clients SHOULD
>>> NOT call the UserInfo endpoint and execute its results to deserialize the
>>> JSON objects?  Do you agree that would be dangerous?
>> Yes. Use json_parse.js or json-sans-eval like JSON parser which does not
>> do eval.
>> --
>> Nat Sakimura (=nat)
>> http://www.sakimura.org/en/
>> http://twitter.com/_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list