[Openid-specs-ab] MTI: Basic Client Profile sufficient for closed systems?
tbray at textuality.com
Sun Jul 28 20:33:13 UTC 2013
I had not heard this idea before, but it sounds sane to me. -T
On Sun, Jul 28, 2013 at 11:44 AM, Torsten Lodderstedt <
torsten at lodderstedt.net> wrote:
> Hi all,
> in the OpenID Connect Workshop at IETF-87, we today discussed the
> "mandatory to implement" requirements (Message/Section 8). One topic was
> the different profiles a client may use to integrate with an OpenID Connect
> OP (Basic Client Profile and Implicit Client Profile).
> I think requiring every OP to support both Basic as well as Implicit
> Client Profile unnecessarily increases the cost and complexity of an OP
> implementation. Based on our implementation experiences and feedback from
> our partners I would argue the Basic Client Profile is sufficient for all
> standard use cases and simple to implement. On the other hand, implementing
> the Implicit Client Profile requires not only to implement the implicit
> grant but also nonce, at_hash, RSA signatures and so on, which considerably
> increases implementation complexity.
> In the course of the discussion, reasonable arguments were made for
> supporting both profiles in open scenarios, where clients bind to
> previously unknown servers at runtime. Therefore, I would like to suggest
> to make only functions required by the Basic Client Profile mandatory for
> closed systems (section 8.1) and add compliance to the Implicit Client
> Profile to the requirements for open systems (section 8.2).
> What do you think?
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.**net <Openid-specs-ab at lists.openid.net>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab