[Openid-specs-ab] Lite Draft 8

John Bradley ve7jtb at ve7jtb.com
Tue Aug 16 23:31:21 UTC 2011


id_token is required.  

I am going to take another shot at explaining it for the lite spec.

Both the id_token and user-info access token are opaque.  That only means that the client is not expected to intermit them directly.

The client uses them as access tokens for the Check Session and user-info endpoints respectively.

There is a optimization that we don't talk about in lite where the client directly checks the id_token for information rather than making a call to Check Session.

The two tokens have potentially different scopes and lifetimes.   

There are good reasons for separating resource authorization from session authentication.

It is true that twitter and others confuse those.   That however is a real security problem.

Facebook signed request is a good example of separating them.  However they make that optional for the RP.   
We have made it REQUIRED, but provide the Check Session endpoint so they don't need to do crypto.

One question is perhaps the id_token name is perhaps confusing.  

Perhaps as it is used as the access token for the Check Session and other Session endpoints, calling it session might be clearer.

Thoughts.

John 
On 2011-08-16, at 5:11 PM, Breno de Medeiros wrote:

> On Tue, Aug 16, 2011 at 12:55, Allen Tom <allentomdude at gmail.com> wrote:
>> Based on my feedback, and also from what I read from George and Johnny, it
>> sounds like the id_token should either be removed from the Lite spec (is it
>> really required for a Lite implementation? It appears to be an optimization)
>> or perhaps if it needs to stay in the spec, then it should be definitely
>> better documented.
>> The id_token definition in Section 2 says that it's opaque in the Lite
>> profile, which at least to me, means that implementors can ignore it.  I've
>> heard that other OAuth2 based APIs have equivalents of the id_token. Can
>> someone point me at some public documentation from other implementations?
> 
> An example of an implementation is Facebook's signed_request
> 
>> Thanks
>> Allen
>> 
>> On Fri, Aug 12, 2011 at 1:29 PM, George Fletcher <gffletch at aol.com> wrote:
>>> 
>>> I've attached a pdf of with my comments on Lite draft 8. It appears that
>>> some of these were discussed on the call yesterday. Please ignore those if a
>>> resolution has been reached.
>>> 
>>> Thanks,
>>> George
>>> 
>>> On 8/11/11 2:57 PM, John Bradley wrote:
>>> 
>>> Updated lite.
>>> 
>>> The introspection endpoint is renamed to be consistent with session
>>> management.  I think the name is clearer for the function.
>>> 
>>> Per my discussion with Breno I made it clear that it is a OAuth 2
>>> protected resource per the spec and not something special.
>>> 
>>> That required removing the text about it being possible to overload it on
>>> the token endpoint.  That probably is not a good idea as they now have
>>> different security.
>>> 
>>> I referenced session management and the full spec to redirect people to
>>> there for a fuller explanation.
>>> 
>>> PPID is only mentioned in security considerations.
>>> We should discuss if it should be in the lite spec.
>>> Some IdP will use PPID by default.  I think a discussion of how that
>>> should be calculated needs to be included otherwise RP will be surprised if
>>> they change something and all the user_id change.
>>> 
>>> I may only make the first part of the call.  I have a 6:20 flight.
>>> 
>>> John B.
>>> 
>>> 
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>> 
>>> --
>>> Chief Architect                   AIM:  gffletch
>>> Identity Services Engineering     Work: george.fletcher at teamaol.com
>>> AOL Inc.                          Home: gffletch at aol.com
>>> Mobile: +1-703-462-3494           Blog: http://practicalid.blogspot.com
>>> Office: +1-703-265-2544           Twitter: http://twitter.com/gffletch
>>> 
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>> 
>> 
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
>> 
> 
> 
> 
> -- 
> --Breno
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110816/d764b148/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list