[Openid-specs-ab] MTI: Basic Client Profile sufficient for closed systems?
torsten at lodderstedt.net
Sun Jul 28 18:44:20 UTC 2013
in the OpenID Connect Workshop at IETF-87, we today discussed the
"mandatory to implement" requirements (Message/Section 8). One topic was
the different profiles a client may use to integrate with an OpenID
Connect OP (Basic Client Profile and Implicit Client Profile).
I think requiring every OP to support both Basic as well as Implicit
Client Profile unnecessarily increases the cost and complexity of an OP
implementation. Based on our implementation experiences and feedback
from our partners I would argue the Basic Client Profile is sufficient
for all standard use cases and simple to implement. On the other hand,
implementing the Implicit Client Profile requires not only to implement
the implicit grant but also nonce, at_hash, RSA signatures and so on,
which considerably increases implementation complexity.
In the course of the discussion, reasonable arguments were made for
supporting both profiles in open scenarios, where clients bind to
previously unknown servers at runtime. Therefore, I would like to
suggest to make only functions required by the Basic Client Profile
mandatory for closed systems (section 8.1) and add compliance to the
Implicit Client Profile to the requirements for open systems (section
What do you think?
More information about the Openid-specs-ab