Based on my feedback, and also from what I read from George and Johnny, it sounds like the id_token should either be removed from the Lite spec (is it really required for a Lite implementation? It appears to be an optimization) or perhaps if it needs to stay in the spec, then it should be definitely better documented.<div>
<br></div><div>The id_token definition in Section 2 says that it's opaque in the Lite profile, which at least to me, means that implementors can ignore it. I've heard that other OAuth2 based APIs have equivalents of the id_token. Can someone point me at some public documentation from other implementations?</div>
<div><br></div><div>Thanks</div><div>Allen</div><div><br><div><br><div class="gmail_quote">On Fri, Aug 12, 2011 at 1:29 PM, George Fletcher <span dir="ltr"><<a href="mailto:gffletch@aol.com">gffletch@aol.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">I've attached a pdf of
with my comments on Lite draft 8. It appears that some of these
were discussed on the call yesterday. Please ignore those if a
resolution has been reached.<br>
<br>
Thanks,<br>
George<br>
</font><div><div></div><div class="h5"><br>
On 8/11/11 2:57 PM, John Bradley wrote:
</div></div><blockquote type="cite"><div><div></div><div class="h5">
<pre>Updated lite.
The introspection endpoint is renamed to be consistent with session management. I think the name is clearer for the function.
Per my discussion with Breno I made it clear that it is a OAuth 2 protected resource per the spec and not something special.
That required removing the text about it being possible to overload it on the token endpoint. That probably is not a good idea as they now have different security.
I referenced session management and the full spec to redirect people to there for a fuller explanation.
PPID is only mentioned in security considerations.
We should discuss if it should be in the lite spec.
Some IdP will use PPID by default. I think a discussion of how that should be calculated needs to be included otherwise RP will be surprised if they change something and all the user_id change.
I may only make the first part of the call. I have a 6:20 flight.
John B.
</pre>
<br>
<fieldset></fieldset>
<br>
</div></div><pre>_______________________________________________
Openid-specs-ab mailing list
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote><font color="#888888">
<br>
<pre cols="72">--
Chief Architect AIM: gffletch
Identity Services Engineering Work: <a href="mailto:george.fletcher@teamaol.com" target="_blank">george.fletcher@teamaol.com</a>
AOL Inc. Home: <a href="mailto:gffletch@aol.com" target="_blank">gffletch@aol.com</a>
Mobile: <a href="tel:%2B1-703-462-3494" value="+17034623494" target="_blank">+1-703-462-3494</a> Blog: <a href="http://practicalid.blogspot.com" target="_blank">http://practicalid.blogspot.com</a>
Office: <a href="tel:%2B1-703-265-2544" value="+17032652544" target="_blank">+1-703-265-2544</a> Twitter: <a href="http://twitter.com/gffletch" target="_blank">http://twitter.com/gffletch</a>
</pre>
</font></div>
<br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br></div></div>