[Openid-specs-ab] Description of js_origin_uri (Javascrip Origin URI) in Client Registration Spec
Breno de Medeiros
breno at google.com
Wed Nov 23 19:44:08 UTC 2011
In our implementation we currently name this parameter 'origin' which I
think has the benefit of being shorter than 'js_origin_uri'.
A JS Origin is a well-defined HTML5 concept. (And earlier HTML specs also,
it has not changed.)
I am not sure we need to put it in the spec provided that we write the spec
so that other bindings than HTTP redirect transport (e.g.,
postmessage-based transport) are allowed to be composed.
At some point I would like this group to work on postmessage binding for
On Wed, Nov 23, 2011 at 11:39, John Bradley <ve7jtb at ve7jtb.com> wrote:
> It is used only for postMessage.
> Clients wishing to use postMessage MUST register a value.
> Looking at Google's registration and the spec a single origin looks
> A client MUST register a JS Origin if it is requesting a postMessage
> A client MUST register a redirect_uri if it is requesting a fragment
> encoded response.
> A client MAY register a redirect_uri if it is requesting a query parameter
> encoded response.
> For those that haven't read the google spec you send
> redirect_uri="postmessage" in the request.
> The registered js_origin_uri is used to send the response.
> It would be nice if we had a oauth2-postmessage-profile<https://groups.google.com/group/oauth2-postmessage-profile> that
> didn't require reading the JS source!
> Breno should correct me if I have it wrong.
> John B.
> On 2011-11-23, at 4:11 PM, Edmund Jay wrote:
> In the Registration spec, we have a js_origin_uri field which requires
> more explanation.
> Currently, it's defined as :
> Post Message flow).
> This description is not very informative as is, so the working group
> decided to do some research.
> parts of the specs.
> with each other if they originate from the same origin.
> Origin is defined by the scheme, host, and port of a URL. Pages have the
> same origin if and only if the scheme, host, and port matches exactly.
> Some general background about same origin policy can be found at
> HTML5 defines the exact mechanism for determining the effective origin of
> Given this restriction, there are techniques used by providers to allow
> cross domain communication. Otherwise, only scripts in the same origin as
> the providers would be able to work.
> This page describes window.postMessage
> Project homepage:
> For example: https://example.com
> So for the Registration spec, it would just be a list of allowable URIs
> Would it be correct to define the js_origin_uri as follows :
> OPTIONAL. A Space-separated list of allowable URIs where client
> Another question is, should we eliminate the js_origin_uri, since it's not
> mentioned anywhere else?
> Or do we need to elaborate more on how it's used in the other specs?
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab