[Openid-specs-ab] Comments on the OpenID Connect Standard spec 1.0 draft 4

Edmund Jay ejay at mgi1.com
Tue Sep 20 18:19:22 UTC 2011


The query parameters need to be sent even when "request" parameter is sent 
because the request needs to conform to OAuth specs.
The "request" parameter is an extension parameter used for creating more complex 
requests and as a way to sign/encrypt the request.  Therefore the query 
parameters need to be present in the "request" object also and will take 
precedence.




________________________________
From: Roland Hedberg <roland.hedberg at adm.umu.se>
To: George Fletcher <gffletch at aol.com>
Cc: "openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>
Sent: Mon, September 19, 2011 11:49:53 PM
Subject: Re: [Openid-specs-ab] Comments on the OpenID Connect Standard spec 1.0 
draft 4


20 sep 2011 kl. 03:37 skrev George Fletcher:

> 
> * Section 4.1.1.2
> 
> The second paragraph says that parameters specified in the "OpenID Request 
>Object" take precedence over query parameters. Yet the non-normative example, 
>shows the same parameter in both the query string and the OpenID Request Object. 
>Given that the Request Object takes precedence, isn't just the request object 
>enough? So the last example in section 4.1.1.2 could be...
> 
>https://server.example.com/authorize?request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtx
>x 
>dDMiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvY2xpZW50LmV4YW1wbGUuY29tXC9jYiIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUiLCJzd
>GF0ZSI6ImFmMGlmanNsZGtqIiwidXNlcmluZm8iOnsiY2xhaW1zIjp7Im5hbWUiOm51bGwsIm5pY2tuYW1lIjp7Im9wdGlvbmFsIjp0cnVlfS
>S 
>wiZW1haWwiOm51bGwsInZlcmlmaWVkIjpudWxsLCJwaWN0dXJlIjp7Im9wdGlvbmFsIjp0cnVlfX0sImZvcm1hdCI6InNpZ25lZCJ9LCJpZF9
>0b2tlbiI6eyJtYXhfYWdlIjo4NjQwMCwiaXNvMjkxMTUiOiIyIn19.2OiqRgrbrHkA1FZ5p_7bc_RSdTbH-wo_Agk-ZRpD3wY
>Y
> 

I went through the same reasoning but I came out the other end with the idea 
that the parameters that matter, those you want to sign, they should be in the 
request JWT and those that isn't vital (are there any such) could be in the 
query string.
Anyway I also see no reason for parameters to be in both.

> * Section 4.1.4.1
> 
> This probably isn't an issue, but ensuring the entire URL does not exceed 512 
>bytes, requires both the AS and the Client to work together. If the client has a 
>really large state value, and the AS has a large code value, the combined length 
>could be greater than 512.

Agreed, a bad behaved client can make it impossible for a server to construct 
URLs shorter then 512 bytes.

-- Roland

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110920/f2dc217f/attachment.html>


More information about the Openid-specs-ab mailing list