[Openid-specs-ab] Couple questions on the UserInfo Request

Mike Jones Michael.Jones at microsoft.com
Thu Mar 7 13:40:17 UTC 2013


The “id” language is because Facebook allows requests to its Graph API to supply an “id” parameter specifying which resource you’re requesting.  For what it’s worth, the must-ignore-id language was written during a working group meeting at Facebook.

I agree that it’s probably better to just drop it, and the schema language.

                                                            -- Mike

From: Justin Richer [mailto:jricher at mitre.org]
Sent: Wednesday, March 06, 2013 6:20 AM
To: Brian Campbell
Cc: Mike Jones; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Couple questions on the UserInfo Request

I'm actually OK with dropping "schema" entirely here. If you're going to do a SCIM setup, it's more than just a schema difference, it's effectively a different endpoint.

I also don't understand the "id" parameter restriction -- there was probably a good reason at the time, but I don't see it recorded. I would guess that it's to prevent people from trying to query for different users other than "the current user"?

 -- Justin
On 03/06/2013 09:03 AM, Brian Campbell wrote:
That raises some different questions than I had in mind.
I'd say if the OP needs something on the endpoint like that, whatever it might be, then yes they include it all and let the client discover and use it. That probably suggests that language is needed for the endpoint saying that it may include a query component which must be retained (similar to what RFC 6749 has in a few places in the endpoints section).
The questions I was getting at are if an extensibility point is needed for the schema of the UserInfo Endpoint at all? If so, both client and OP need to understand it, which suggests maybe supported schema types need to be advertized in discovery. And maybe included in registration. And if you do that, the need for a parameter on the UIEP maybe goes away The more I think about it, the more it seems this extensibility point isn't fully baked.
But I digress. What I was originally asking for was to not make schema required and let openid be the default value when it's not specified. It's award to have only one possible value for a parameter but require that everyone send exactly that value all the time.
I'm also still confused about why there's this reserved id parameter there. What's the point? Wouldn't saying something general about ignoring other parameters be more appropriate? If anything needs to be said at all.



On Tue, Mar 5, 2013 at 5:34 PM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:

To be completely clear, if we keep the present semantics I believe we need to add this language:



The Client MUST add "schema=openid" as a request parameter when making a request to the UserInfo Endpoint.



Is that want we really want?  Or should we make it the responsibility of the OP to add this parameter when needed, and let the Client discover a UserInfo Endpoint address that may include a “?schema=openid” query parameter, when the OP needs it to be present (slightly simplifying the client)?



                                                            -- Mike



-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net> [mailto:openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>] On Behalf Of Mike Jones
Sent: Tuesday, March 05, 2013 2:58 PM
To: Nat Sakimura; Vladimir Dzhuvinov / NimbusDS
Cc: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Couple questions on the UserInfo Request



Having read §2.3.1 (UserInfo Request), first I think something like these words are missing before the list "The following request parameters are used with the UserInfo endpoint:".  I can add those.



However, looking at this again, I believe there's an ambiguity whether the client adds the "schema=openid" parameter or not.  Making this concrete, I believe that the URL of Google's UserInfo Endpoint is:

               https://www.googleapis.com/oauth2/v3/userinfo?schema=openid

They've already added the parameter to their endpoint address.



Should they actually be advertising this UserInfo endpoint address instead:

               https://www.googleapis.com/oauth2/v3/userinfo

with the expectation that the Client will add the "schema=openid" parameter?



I think we may need to be clearer on this.



                                                            -- Mike



-----Original Message-----

From: openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura

Sent: Tuesday, March 05, 2013 11:27 AM

To: Vladimir Dzhuvinov / NimbusDS

Cc: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>

Subject: Re: [Openid-specs-ab] Couple questions on the UserInfo Request



At around the time, we switched from SCIM schema to the flat schema due to developer requests at the time. However, we wanted to provide the ability to specify other scheme name such as scim to get the data in that format if the server supports.



Sent from iPad



2013/03/06 4:10、Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com<mailto:vladimir at nimbusds.com>> の メッセージ:



> I was also wondering about that. It seems to be an artefact from old

> drafts 05 and 07, as the doc history suggests:

>

> http://openid.net/specs/openid-connect-messages-1_0.html#rfc.section.C

>

> Vladimir

>

> --

> Vladimir Dzhuvinov : www.NimbusDS.com<http://www.NimbusDS.com> : vladimir at nimbusds.com<mailto:vladimir at nimbusds.com>

>

>

>

> -------- Original Message --------

> Subject: [Openid-specs-ab] Couple questions on the UserInfo Request

> From: Brian Campbell <bcampbell at pingidentity.com<mailto:bcampbell at pingidentity.com>>

> Date: Tue, March 05, 2013 6:30 pm

> To: "<openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>"

> <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>

>

> In §2.3.1. UserInfo Request at

> http://openid.bitbucket.org/openid-connect-messages-1_0.html#UserInfoR

> equest , if the only defined schema value is openid, why make it

> required rather than just defaulting to the only current possible

> value?

>

> And what is the id parameter for? It just kind of sticks out as odd

> there. I imagine there's some reason it's there but the associated

> text is kind of cryptic and doesn't explain much.

>

> _______________________________________________

> Openid-specs-ab mailing list

> Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

> http://lists.openid.net/mailman/listinfo/openid-specs-ab

> _______________________________________________

> Openid-specs-ab mailing list

> Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

> http://lists.openid.net/mailman/listinfo/openid-specs-ab

_______________________________________________

Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

http://lists.openid.net/mailman/listinfo/openid-specs-ab

_______________________________________________

Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

http://lists.openid.net/mailman/listinfo/openid-specs-ab

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab





_______________________________________________

Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130307/ba044b2e/attachment-0001.html>


More information about the Openid-specs-ab mailing list