<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
We've moved our git repository away from one that was tied to my
personal account (jricher) and into a more appropriate "GitHub
Organization" one. This means that the diagram URLs have changed.
They are now:<br>
<br>
OpenID Connect:
<a class="moz-txt-link-freetext" href="https://raw.github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/master/docs/OpenID_Connect_Diagrams.pdf">https://raw.github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/master/docs/OpenID_Connect_Diagrams.pdf</a><br>
<br>
OAuth 2.0:
<a class="moz-txt-link-freetext" href="https://raw.github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/master/docs/OAuth2.0_Diagrams.pdf">https://raw.github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/master/docs/OAuth2.0_Diagrams.pdf</a><br>
<br>
These will point to the latest versions.<br>
<br>
-- Justin<br>
<br>
On 02/07/2012 09:52 AM, Anganes, Amanda L wrote:
<blockquote cite="mid:MLQM-20120207101538903-104033@mlite.mitre.org"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
span.EmailStyle17
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:738094862;
mso-list-type:hybrid;
mso-list-template-ids:1306827264 -1607707952 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-start-at:0;
mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Hello again,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">Based on some
feedback I have received from both this WG and the OAuth 2.0
WG, I have updated my diagrams. Changes are listed below,
and the links (</span><a moz-do-not-send="true"
href="https://github.com/jricher/OpenID-Connect-Java-Spring-Server/blob/master/docs/OAuth2.0_Diagrams.pdf?raw=true">https://github.com/jricher/OpenID-Connect-Java-Spring-Server/blob/master/docs/OAuth2.0_Diagrams.pdf?raw=true</a>
and <a moz-do-not-send="true"
href="https://github.com/jricher/OpenID-Connect-Java-Spring-Server/blob/master/docs/OpenID_Connect_Diagrams.pdf?raw=true">https://github.com/jricher/OpenID-Connect-Java-Spring-Server/blob/master/docs/OpenID_Connect_Diagrams.pdf?raw=true</a><span
style="color:#1F497D">) will always point to the latest
versions.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">OAuth 2.0:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">* Changed the
title of the diagrams to “OAuth 2.0 Authorization” (from
“OAuth 2.0 Authentication”, which was incorrect).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">* Removed
refresh_token from the Access Token response on the Client
Credentials flow.
<o:p></o:p></span></p>
<p class="MsoNormal" style="text-indent:.5in"><span
style="color:#1F497D">Ref: <a moz-do-not-send="true"
href="http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-4.4.3">
http://tools.ietf.org/html/draft-ietf-oauth-v2-23#section-4.4.3</a> says
"A refresh token SHOULD NOT be included."<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">* Changed
"Consumer" to "Client" to better match the 2.0 terminology.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">OpenID Connect:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">* Changed
"Consumer" to "Client".<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">* Clarified
required/optional wording. Parameters are REQUIRED unless
otherwise stated.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">* Implicit
Flow: changed wording on redirect_uri requirement in the
Authorization Request. Now reads "required IFF the client
has pre-configured more than one value with the service
provider".
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">* Diagram 3 was
renamed to "Optional Steps" (from "Additional Steps"), as
these steps may or may not be taken and may be done in any
order. Added "openid" to the schema parameter in the
UserInfo Request.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><i><span style="color:#D99594">Amanda
Anganes<o:p></o:p></span></i></p>
<p class="MsoNormal"><span style="color:#D99594">Info Sys
Engineer, G061<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#D99594">The MITRE
Corporation<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#D99594">782-271-3103<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#D99594"><a class="moz-txt-link-abbreviated" href="mailto:aanganes@mitre.org">aanganes@mitre.org</a><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-left:.5in"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>
[<a class="moz-txt-link-freetext" href="mailto:openid-specs-ab-bounces@lists.openid.net">mailto:openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Anganes, Amanda L<br>
<b>Sent:</b> Friday, February 03, 2012 9:28 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> [Openid-specs-ab] OpenID Connect Flow
Diagrams<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Hello,<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">I’ve developed a
set of flow diagrams for the OpenID Connect spec, linked
below. There are two separate diagrams for the Authorization
Code flow and the Implicit Grant flow, as well as a third
diagram showing the additional steps of interacting with the
UserInfo Endpoint and the Check ID Endpoint.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">These were
inspired by the diagrams for OAuth 1.0 and 1.0a that Idan
Gazit posted in
<a moz-do-not-send="true"
href="http://www.ietf.org/mail-archive/web/oauth/current/msg00696.html">http://www.ietf.org/mail-archive/web/oauth/current/msg00696.html</a>,
which Justin Richer pointed me to when I first started trying
to read and understand the OAuth2.0 spec. I’ve created updated
diagrams for OAuth 2.0 as well, which are available at <a
moz-do-not-send="true"
href="https://github.com/jricher/OpenID-Connect-Java-Spring-Server/blob/master/docs/OAuth2.0_Diagrams.pdf?raw=true">https://github.com/jricher/OpenID-Connect-Java-Spring-Server/blob/master/docs/OAuth2.0_Diagrams.pdf?raw=true</a><o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">The OpenID Connect
diagrams are available at
<a moz-do-not-send="true"
href="https://github.com/jricher/OpenID-Connect-Java-Spring-Server/blob/master/docs/OAuth2.0_Diagrams.pdf?raw=true">https://github.com/jricher/OpenID-Connect-Java-Spring-Server/blob/master/docs/OAuth2.0_Diagrams.pdf?raw=true</a>.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">I’d appreciate any
comments/corrections. If anyone finds the diagrams to be
useful, please feel free to rehost.<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in">Thanks,<o:p></o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-left:.5in"><i><span
style="color:#D99594">Amanda Anganes<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="color:#D99594">Info Sys Engineer, G061<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="color:#D99594">The MITRE Corporation<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="color:#D99594">782-271-3103<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><span
style="color:#D99594"><a moz-do-not-send="true"
href="mailto:aanganes@mitre.org">aanganes@mitre.org</a><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:.5in"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>