<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:tahoma,new york,times,serif;font-size:10pt"><div>The query parameters need to be sent even when "request" parameter is sent because the request needs to conform to OAuth specs.<br>The "request" parameter is an extension parameter used for creating more complex requests and as a way to sign/encrypt the request. Therefore the query parameters need to be present in the "request" object also and will take precedence.<br></div><div style="font-family:tahoma, new york, times, serif;font-size:10pt"><br><div style="font-family:arial, helvetica, sans-serif;font-size:10pt"><font size="2" face="Tahoma"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> Roland Hedberg <roland.hedberg@adm.umu.se><br><b><span style="font-weight: bold;">To:</span></b> George Fletcher <gffletch@aol.com><br><b><span style="font-weight:
bold;">Cc:</span></b> "openid-specs-ab@lists.openid.net" <openid-specs-ab@lists.openid.net><br><b><span style="font-weight: bold;">Sent:</span></b> Mon, September 19, 2011 11:49:53 PM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [Openid-specs-ab] Comments on the OpenID Connect Standard spec 1.0 draft 4<br></font><br><br>20 sep 2011 kl. 03:37 skrev George Fletcher:<br><br>> <br>> * Section 4.1.1.2<br>> <br>> The second paragraph says that parameters specified in the "OpenID Request Object" take precedence over query parameters. Yet the non-normative example, shows the same parameter in both the query string and the OpenID Request Object. Given that the Request Object takes precedence, isn't just the request object enough? So the last example in section 4.1.1.2 could be...<br>> <br>> <a
href="https://server.example.com/authorize?request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtx" target="_blank">https://server.example.com/authorize?request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY29kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtx</a> dDMiLCJyZWRpcmVjdF91cmkiOiJodHRwczpcL1wvY2xpZW50LmV4YW1wbGUuY29tXC9jYiIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUiLCJzd GF0ZSI6ImFmMGlmanNsZGtqIiwidXNlcmluZm8iOnsiY2xhaW1zIjp7Im5hbWUiOm51bGwsIm5pY2tuYW1lIjp7Im9wdGlvbmFsIjp0cnVlfS wiZW1haWwiOm51bGwsInZlcmlmaWVkIjpudWxsLCJwaWN0dXJlIjp7Im9wdGlvbmFsIjp0cnVlfX0sImZvcm1hdCI6InNpZ25lZCJ9LCJpZF9 0b2tlbiI6eyJtYXhfYWdlIjo4NjQwMCwiaXNvMjkxMTUiOiIyIn19.2OiqRgrbrHkA1FZ5p_7bc_RSdTbH-wo_Agk-ZRpD3wY<br>> <br><br>I went through the same reasoning but I came out the other end with the idea that the parameters that matter, those you want to sign, they should be in the request JWT and those that
isn't vital (are there any such) could be in the query string.<br>Anyway I also see no reason for parameters to be in both.<br><br>> * Section 4.1.4.1<br>> <br>> This probably isn't an issue, but ensuring the entire URL does not exceed 512 bytes, requires both the AS and the Client to work together. If the client has a really large state value, and the AS has a large code value, the combined length could be greater than 512.<br><br>Agreed, a bad behaved client can make it impossible for a server to construct URLs shorter then 512 bytes.<br><br>-- Roland<br><br>_______________________________________________<br>Openid-specs-ab mailing list<br><a ymailto="mailto:Openid-specs-ab@lists.openid.net" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br></div></div>
</div></body></html>