[Openid-specs-ab] Issue #962: "NOT FOUND" special value for openid2_id looks dangerous (openid/connect)

James Manger issues-reply at bitbucket.org
Mon Nov 3 00:57:20 UTC 2014


New issue 962: "NOT FOUND" special value for openid2_id looks dangerous
https://bitbucket.org/openid/connect/issue/962/not-found-special-value-for-openid2_id

James Manger:

Section 4.1.2. "No Associated OpenID 2.0 Identifier Found" says a special value "NOT FOUND" should be used in the openid2_id member. This feels dangerous and unnecessary. It is dangerous as in all other situations the openid2_id value is assumed to be an unambiguous account identifier. I can imagine code assuming openid2_id is unambiguous and being tricked into thinking all transactions with "NOT FOUND" refer to the same account.

Omitting the openid2_id member when there is no proper value seems like the most sensible solution. If an explicitly indication of no OpenID 2.0 identifier is really required a different member name could be defined (eg "no_openid2_id":true).




More information about the Openid-specs-ab mailing list