<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I realize you’re not trying to nickpick. Quite to the contrary – you’re adding significant value with your observations. Keep it up!
</span><span style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">J</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I just filed this bug
<a href="http://hg.openid.net/connect/issue/713/messages-basic-implicit-explicitly-require">
http://hg.openid.net/connect/issue/713/messages-basic-implicit-explicitly-require</a> to address the requirement that the UserInfo endpoint always return the “sub” claim. As text was refactored, this was partially lost.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I also agree that the interpretation of the first example (response_type “token”), while reasonable, probably isn’t made explicit in the specs. I’ve filed
this bug <a href="http://hg.openid.net/connect/issue/714/review-text-specifying-response_type">
http://hg.openid.net/connect/issue/714/review-text-specifying-response_type</a> to track this and related response_type issues.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I’ve also reopened 671 for further review of the current text for this issue.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> Thanks a bunch,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -- Mike<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> openid-specs-ab-bounces@lists.openid.net [mailto:openid-specs-ab-bounces@lists.openid.net]
<b>On Behalf Of </b>Brian Campbell<br>
<b>Sent:</b> Monday, January 28, 2013 10:23 AM<br>
<b>To:</b> openid-connect-interop@googlegroups.com<br>
<b>Cc:</b> <openid-specs-ab@lists.openid.net><br>
<b>Subject:</b> Re: [Openid-specs-ab] Messages -15 RC: what to do malformed or ambiguous requests?<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">Thanks Mike. <o:p></o:p></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt">I think your second interpretation of the 3rd example is more consistent with what you've said previously about it. But neither is unreasonable, IMHO. I believe your interpretation of the 1st example is perfectly
reasonable but I'd disagree that it's well defined. I don't see any text that directly associated the sub claim with the openid scope other than via indirectly thought the id token and requirements that the sub claim in the id token match the sub claim form
the UserInfo endpoint. I'd forgotten about issue 671 but looking back at it reminded me that I think I disagree in principal on the implications of the decision made there. Also, all the text (<a href="https://bitbucket.org/openid/connect/commits/5aa754b1332d">https://bitbucket.org/openid/connect/commits/5aa754b1332d</a>)
that John wrote in resolving 671, including some that would seem to directly contradict your your interpretation of the 1st example, has been replaced or deleted by other checkins in the last week or so.
<br>
<br>
<o:p></o:p></p>
</div>
<p class="MsoNormal">Anyway, I'm not trying to nitpick or argue with you about these (though I realize the last paragraph might read that way, it's not the intent) but the meta-point I do want to make is that I honestly don't think the spec is unambiguously
clear on many of these scope/response_type combinations. And maybe that's okay. But if there are any security implications (seems like maybe the 1st example could lead to trouble but I dunno) or there are or will be any interop tests, it should probably be
tightened up. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Sun, Jan 27, 2013 at 7:53 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Actually rereading this, the third example doesn’t include the “openid” scope value, and so it’s
entirely outside the realm of what OpenID Connect specifies. It’s just an OAuth 2.0 request – not an OpenID Connect request. The “profile” scope value is only meaningful in this case if the two participants agree what it means. It’s meaning might have nothing
to do with the OpenID Connect meaning of that value.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> Best wishes,</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -- Mike</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">openid-connect-interop@googlegroups.com</a> [mailto:<a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">openid-connect-interop@googlegroups.com</a>]
<b>On Behalf Of </b>Mike Jones<br>
<b>Sent:</b> Sunday, January 27, 2013 3:05 PM<br>
<b>To:</b> <a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">
openid-connect-interop@googlegroups.com</a>; <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Subject:</b> RE: Messages -15 RC: what to do malformed or ambiguous requests?</span><o:p></o:p></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Here’s my take on the (good) questions that you raised, Brian…</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><br>
</span> response_type=token<br>
scope=openid<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">This is meaningful and well-defined. It requests an access token for the OpenID UserInfo Endpoint
but requests no ID Token. The “sub” claim must be made available at the UserInfo endpoint.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><br>
</span> response_type=id_token<br>
scope=openid profile email address<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">This is an error, because it requests that claims be returned via the UserInfo endpoint, but requests
no access token by which to access those claims. John applied the fix to <a href="https://bitbucket.org/openid/connect/issue/671/" target="_blank">
https://bitbucket.org/openid/connect/issue/671/</a> to make it clear that an error should be returned in this case. (Please review the text of the change.
</span><span style="font-size:11.0pt;font-family:Wingdings;color:#1F497D">J</span><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">)</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
response_type=code<br>
scope=profile<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Like the first example, this is well-defined.</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> -- Mike</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">openid-connect-interop@googlegroups.com</a> [<a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">mailto:openid-connect-interop@googlegroups.com</a>]
<b>On Behalf Of </b>Brian Campbell<br>
<b>Sent:</b> Friday, January 25, 2013 1:54 PM<br>
<b>To:</b> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>>;
<a href="mailto:openid-connect-interop@googlegroups.com" target="_blank">openid-connect-interop@googlegroups.com</a><br>
<b>Subject:</b> Messages -15 RC: what to do malformed or ambiguous requests?</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt">There are a number of possible combinations of parameters that seem (at least to me) like they might be considered malformed or ambiguous. A few examples are listed below but there are
other combinations, usually where what's requested by the response type is somehow misaligned with what's requested via scope. The messages spec gives some guidance, for example around scope in 2.4 and the openid scope value in 2.4 but it's still not entirely
clear what the expected behavior is for these kind of things. I know this question, or variations on it, have come up before but I don't know that an answer was ever settled on. And it's still not clear to me from reading RC/-15.
<o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Is there a general expectation of behavior around this kind of thing? Should the AS just make a best effort? Or should it return errors to the client? Or something else? Even if
the specs decide to leave it entirely up to the implementations, I think it'd be useful to say as much.<o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Some example combinations of response_type and scope that I don't know what to do with:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><br>
response_type=token<br>
scope=openid<br>
<br>
response_type=id_token<br>
scope=openid profile email address<br>
<br>
response_type=code<br>
scope=profile<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">--
<br>
<br>
<o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal">-- <br>
<br>
<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>