[Openid-specs-ab] Migration guide comments

Manger, James James.H.Manger at team.telstra.com
Sun Nov 2 23:33:44 UTC 2014


A few comments on OpenID 2.0 to OpenID Connect Migration 1.0 - draft 06<http://openid.net/specs/openid-connect-migration-1_0-06.html>:

Apologies if this is late, given the current vote about this spec.

1. Would be nice to expand PPID on first use. In section 2:
  "If a pairwise pseudonymous identifier (PPID) was used to obtain the OpenID 2.0 Identifier..."

2. The example authentication request in section 2 sets:
  openid2_realm=https://openid2.example.com
This looks wrong. The realm should identify the RP, but this value identifies the OP. The parameter should be:
  openid2_realm=https://client.example.org

3. Shouldn't the example response in section 2 be a redirect with "302 Found" status code, not a "200 OK". A 200 doesn't make much sense alongside the "Location" HTTP header. Change to:
  HTTP /1.1 302 Found
  Location: https://client.example.com/cb#
    id_token=eyJhbGciOiJSUzI1NiIsImtpZCI6IktleTAwMS...

4. Is {"openid2_id":"NOT FOUND"} really a good idea? Why not just omit this member, use a different member name, or at least set its value to null? Generally openid2_id will be an unambiguous id for a user, except for this special case where heaps of users will share the same value. This design seems to be asking for trouble when some code assumes openid2_id is an unambiguous id.

5. If the openid2 scope is not supported wouldn't it be better for the OP to just ignore it, instead of failing the whole authentication request with an invalid_scope error? OpenID Connect 1.0 [§3.1.2.1.] says scopes values that are not understood SHOULD be ignored. That feels like a better approach. Wouldn't it help migration if RPs could always include the openid2 scope without having to know where this specific OP was up to in implementing the migration spec? Section 7 says OP that do support migration may drop support in the future and start returning invalid_scope. Ouch! The migration spec seems to make it unnecessarily dangerous for RPs to support migration by encouraging scope=openid2 to cause failures.

--
James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20141103/74073222/attachment.html>


More information about the Openid-specs-ab mailing list