[Openid-specs-ab] id_token in URI query parameter

John Bradley ve7jtb at ve7jtb.com
Tue Feb 21 17:57:28 UTC 2012

We of support id_tokens to be returned directly from the Authorization server, but only fragment encoded.   There was a active debate on if the 'code id_token' response_type should return id_token as a query parameter.   At the time Google & Facebook based on existing practice of returning 'code signed_request' as both fragment encoded argued that was the best way to do it.  It was a utility issue not a security one.

Their argument is that it is only a single JS that needs to be called from the server to return the fragment encoded values.

An example :

// First, parse the query string
var params = {}, queryString = location.hash.substring(1),
    regex = /([^&=]+)=([^&]*)/g, m;
while (m = regex.exec(queryString)) {
  params[decodeURIComponent(m[1])] = decodeURIComponent(m[2]);

// And send the token over to the server
var req = new XMLHttpRequest();
// consider using POST so query isn't logged
req.open('GET', 'https://' + window.location.host + '/catchtoken?' + queryString, true);

req.onreadystatechange = function (e) {
  if (req.readyState == 4) {
     if(req.status == 200){
       window.location = params['state']
  else if(req.status == 400) {
        alert('There was an error processing the token.')
    else {
      alert('something else other than 200 was returned')

I am not a web developer myself.  I see advantages to both approaches depending on what you are doing.

We could make another response_type token_code_query  and let the client decide though it introduces more options and complexity.

John B.

On 2012-02-21, at 1:48 PM, Torsten Lodderstedt wrote:

> Hi all,
> what is the rational for not supporting the transmission of id tokens as URI request parameter? Is it because of the potential leakage via browser caches?
> I'm asking because the id token is more or less equivalent to a OpenId 2.0 response, which directly carries all identity data to the RP. But the Connect design makes life of an ordinary RP more difficult. It either needs to take another roundtrip (code) or implement JS client side logic to obtain the same data.
> regards,
> Torsten._______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120221/7240af11/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120221/7240af11/attachment-0001.p7s>

More information about the Openid-specs-ab mailing list