[Openid-specs-ab] MTI: Basic Client Profile sufficient for closed systems?

Torsten Lodderstedt torsten at lodderstedt.net
Sun Jul 28 18:44:20 UTC 2013


Hi all,

in the OpenID Connect Workshop at IETF-87, we today discussed the 
"mandatory to implement" requirements (Message/Section 8). One topic was 
the different profiles a client may use to integrate with an OpenID 
Connect OP (Basic Client Profile and Implicit Client Profile).

I think requiring every OP to support both Basic as well as Implicit 
Client Profile unnecessarily increases the cost and complexity of an OP 
implementation. Based on our implementation experiences and feedback 
from our partners I would argue the Basic Client Profile is sufficient 
for all standard use cases and simple to implement. On the other hand, 
implementing the Implicit Client Profile requires not only to implement 
the implicit grant but also nonce, at_hash, RSA signatures and so on, 
which considerably increases implementation complexity.

In the course of the discussion, reasonable arguments were made for 
supporting both profiles in open scenarios, where clients bind to 
previously unknown servers at runtime. Therefore, I would like to 
suggest to make only functions required by the Basic Client Profile 
mandatory for closed systems (section 8.1) and add compliance to the 
Implicit Client Profile to the requirements for open systems (section 
8.2).

What do you think?

regards,
Torsten.


More information about the Openid-specs-ab mailing list