[Openid-specs-ab] Lite Draft 8

Breno de Medeiros breno at google.com
Tue Aug 16 21:11:23 UTC 2011


On Tue, Aug 16, 2011 at 12:55, Allen Tom <allentomdude at gmail.com> wrote:
> Based on my feedback, and also from what I read from George and Johnny, it
> sounds like the id_token should either be removed from the Lite spec (is it
> really required for a Lite implementation? It appears to be an optimization)
> or perhaps if it needs to stay in the spec, then it should be definitely
> better documented.
> The id_token definition in Section 2 says that it's opaque in the Lite
> profile, which at least to me, means that implementors can ignore it.  I've
> heard that other OAuth2 based APIs have equivalents of the id_token. Can
> someone point me at some public documentation from other implementations?

An example of an implementation is Facebook's signed_request

> Thanks
> Allen
>
> On Fri, Aug 12, 2011 at 1:29 PM, George Fletcher <gffletch at aol.com> wrote:
>>
>> I've attached a pdf of with my comments on Lite draft 8. It appears that
>> some of these were discussed on the call yesterday. Please ignore those if a
>> resolution has been reached.
>>
>> Thanks,
>> George
>>
>> On 8/11/11 2:57 PM, John Bradley wrote:
>>
>> Updated lite.
>>
>> The introspection endpoint is renamed to be consistent with session
>> management.  I think the name is clearer for the function.
>>
>> Per my discussion with Breno I made it clear that it is a OAuth 2
>> protected resource per the spec and not something special.
>>
>> That required removing the text about it being possible to overload it on
>> the token endpoint.  That probably is not a good idea as they now have
>> different security.
>>
>> I referenced session management and the full spec to redirect people to
>> there for a fuller explanation.
>>
>> PPID is only mentioned in security considerations.
>> We should discuss if it should be in the lite spec.
>> Some IdP will use PPID by default.  I think a discussion of how that
>> should be calculated needs to be included otherwise RP will be surprised if
>> they change something and all the user_id change.
>>
>> I may only make the first part of the call.  I have a 6:20 flight.
>>
>> John B.
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>> --
>> Chief Architect                   AIM:  gffletch
>> Identity Services Engineering     Work: george.fletcher at teamaol.com
>> AOL Inc.                          Home: gffletch at aol.com
>> Mobile: +1-703-462-3494           Blog: http://practicalid.blogspot.com
>> Office: +1-703-265-2544           Twitter: http://twitter.com/gffletch
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>



-- 
--Breno


More information about the Openid-specs-ab mailing list