[Openid-specs-ab] Lite Draft 9

Allen Tom allentomdude at gmail.com
Fri Aug 19 19:06:52 UTC 2011


In section 3.3.1 - Are both the access_token and the id_token supposed to be
sent to the Check Session endpoint? The way that Section 3.3.1 in Draft 9 is
currently written, it sounds like only the id_token is sent in the request,
and that the id_token is actually the access_token.

It would probably be helpful to have an example Check Session request in the
spec.

Allen


On Fri, Aug 19, 2011 at 12:02 PM, Allen Tom <allentomdude at gmail.com> wrote:

> The explanation in Section 3 regarding when to use the Implicit vs Code
> flow is vague, because it's not clear as to what it means for a client to
> securely maintain state between itself and the auth server.
>
> It might be better to just say that the Code flow should be used if the
> redirect_uri doesn't use HTTPS, and if the client is able to securely store
> its client_secret.
>
> Allen
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110819/8da2406c/attachment.html>


More information about the Openid-specs-ab mailing list