[Openid-specs-ab] Does Connect support public clients?

Justin Richer jricher at mitre.org
Tue Feb 21 13:47:56 UTC 2012


I would prefer to have the Basic Client use the code flow for another 
reason: the code flow is the only one that's mandatory to implement for 
the server. So what we have right now is advice for servers to implement 
something that our advice to clients say they don't have to.

  -- Justin

On 02/20/2012 07:30 PM, John Bradley wrote:
> Torsten,
>
>  From your tickets it looks like you are thinking that the Basic client profile is for JS clients in the browser doing canvas type Aps and directly accessing the check_id and user_info endpoints.
>
> The idea for what i't worth was that it is intended to be a Web server profile that uses the browser side implicit flow, with a simple sever side callback that extracts the fragment and passes it to the server for processing and verification.   That is why Cross Origin Resource sharing is not mentioned win that profile.
>
> It is true that that profile could be used for a Canvas type JS app in the browser accessing the endpoints as well.
>
> Would your preference have been to make the basic client use the code flow?   It is arguably similar in complexity at the end of the day,  but with better security for Web Server type applications.
>
> I would probably just have the client base64 decode the id_token and forget calling the check_id endpoint.   If the client doesn't have the correct token endpoint and gives the client secret to it checking the signature on the id_token is not very useful:)
>
> Regards
> John B.
> On 2012-02-20, at 3:58 PM, Torsten Lodderstedt wrote:
>
>> Hi all,
>>
>> I'm unable to find out whether OpenID Connect supports public clients. It seems Connect assumes all clients register with the OP and obtain a client credential. If this observation is correct, what is the reason for being more restrictive than OAuth?
>>
>> regards,
>> Torsten.
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120221/35a7d5b3/attachment.html>


More information about the Openid-specs-ab mailing list