[Openid-specs-ab] Additional issues/questions with Basic
Michael.Jones at microsoft.com
Thu May 17 18:49:07 UTC 2012
I was going through some of my mail working on closing the remaining issues to finish the OAuth Bearer RFC and I ran across this message, which I realized that I never responded to.
Could you expand on "This violates OAuth"? Is there a change you'd recommend in the Connect specs as a result?
(The second point is now moot, as we decided to remove the Check ID Endpoint at the last in-person working group meeting.)
From: Chuck Mortimore [mailto:cmortimore at salesforce.com]
Sent: Friday, March 02, 2012 11:13 AM
To: Mike Jones
Subject: Additional issues/questions with Basic
2.2.1 redirect_uri: A redirection URI where the response will be sent. This MUST be pre-registered with the provider.
This Violates OAuth
2.3.1 CheckID: access_token: REQUIRED. The ID Token obtained from an OpenID Connect Authorization Request.
Why is this the ID Token, but called access_token?
Why would we use POST if it's in an AuthZ header?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab