Michael.Jones at microsoft.com
Sat Jul 16 23:17:44 UTC 2011
You probably want to reply with this content to the post that Dave Recordon just made to the specs list.
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John Bradley
Sent: Saturday, July 16, 2011 9:34 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] browserid
Links for those that haven't looked yet.
They are using asymmetrically signed JWT with an introspection endpoint.
There are limitations on attributes, identifiers and other serious issues with what Mozzila is proposing.
Though it is relatively close to what Nat and I were thinking with asymmetrically signed id_tokens, and a introspection endpoint.
In some ways our flow would be simpler if the id_tokens were always asymmetrically signed and anyone not supporting that uses the introspection endpoint.
If the RP doesn't understand asymmetric signatures it just throws to the introspection endpoint.
The big advantage is for smart clients. They would not need to manage shared secrets to validate tokens.
For a smart client I suppose that you could let it generate it's own access tokens if those access tokens are JWT and they wrap a JWT containing the client's public key and some scope constraints etc. In principal that could lower the IdP's authorization load, however I don't know if it would be worth it.
Just some things to think about.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab