<html><head><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><base href="x-msg://4321/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">At least the "code token" response type predates Connect. Google and others agreed to roll them all into one document for registration.<div><br></div><div>However I agree that this mostly affects Connect at this point but will affect future response types as well. That is why it needs to be carefully considered.</div><div><br></div><div>It probably should be a separate Connect document like registration so that in future it can be reconciled with IETF specs, or made one.</div><div><br></div><div>If we can do that by Monday that would be a good thing.</div><div><br></div><div>John B.</div><div><br><div><div>On 2013-10-17, at 7:15 PM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div lang="EN-US" link="blue" vlink="purple" style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div class="WordSection1" style="page: WordSection1; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Yes, in theory, it’s an OAuth issue, but in practice it only really comes up when using an OpenID specification -<a href="http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html" style="color: purple; text-decoration: underline; ">http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html</a>. So this would actually supplement functionality defined by OpenID Connect – not core OAuth functionality.<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> -- Mike<o:p></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></div><div><div style="border-style: solid none none; border-top-width: 1pt; border-top-color: rgb(181, 196, 223); padding: 3pt 0in 0in; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a> [mailto:openid-<a href="mailto:specs-ab-bounces@lists.openid.net">specs-ab-bounces@lists.openid.net</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>John Bradley<br><b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, October 17, 2013 2:58 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Torsten Lodderstedt<br><b>Cc:</b><span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-ab] Spec call notes 17-Oct-13<o:p></o:p></span></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Torsten,<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">This is not really about the code response type. (Though it might be observed that code to a public client would be safer with POST than GET as the code would not leak in the referrer)<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">The issue is with the "code id_token", "token id_token", "code token id_token" and "id_token" response types where the recipient is not JS in the browser but a host.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">The "code id_token" response type was intended to give the client a fast way to customize the UI while it asynchronously fetches additional data in the back end.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Currently the redirect_uri must contain JS that parses the fragment and sends the contents of the fragment as a form encoded POST to the client.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Some people want to optimize that by having the Authorization server send JS that autoposts a form with the paramaters like openID 2.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">There might be a alight speed advantage, but the main advantage is a simpler client (you will now point out that simple clients should use code).<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">The downside to POST in a redirect is well understood as having sub-optimal UI with browser flashing and possibly needing to present a submit button as compared to postMessage or fragment encoding.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">My personal feeling is that this is a OAuth issue, though one that impacts Connect. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">My main concern is forcing something through in Connect may not align with a OAuth WG is that it will require more work for implementers in the long run.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">There is nothing in the current spec that is any way unworkable, however using POST can be a useful optimization in some specific environments.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I suspect that this is partially a fragment encoding is new and unfamiliar while POST is well understood by developers issue. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">If everyone moved from fragment to POST for Connect it would not be a positive UI direction.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I have not totally made my mind up yet, but am leaning towards this being a OAuth extension rather than something specific to Connect.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">John B.<o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">On 2013-10-17, at 6:19 PM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" style="color: purple; text-decoration: underline; ">torsten@lodderstedt.net</a>> wrote:<o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br><o:p></o:p></div><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Hi all,<br><br>can someone please explain the problems, which shall be resolved by POSTing responses? As far as I understand, POSTing responses in OpenID 2.0 were neccessary in order to transport large amounts of data (esp. when utilizing AX). In OAuth and Connect, there is just the authz code + state sent to the client in the grant type code. I don't expect them to blow up the redirect URI.<br><br>regards,<br>Torsten.<o:p></o:p></p><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Am 17.10.2013 22:38, schrieb Richer, Justin P.:<o:p></o:p></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt; "><div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">I completely agree with Nat. There have been many months for people to comment on, interop with, and add features to the set. I think that changing something this fundamental this late in the game with so little testing behind it is ludicrous. I don't understand how this is coming up all of a sudden. From my perspective, it sounds like one contingent is trying to sneak something in just under the wire and hoping nobody will notice.<span class="Apple-converted-space"> </span><br><br>This can easily be defined as an extension and it would do much more harm than good trying to cram it in now.<br><br>As to Tony's contention: plenty of us are deploying and exactly what you keep calling impossible. There are numerous existence proofs in contrast to your position.<br><br> -- Justin<o:p></o:p></span></p><div><div class="MsoNormal" align="center" style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; text-align: center; "><hr size="2" width="100%" align="center"></div><div id="divRpF193203"><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab-bounces@lists.openid.net" style="color: purple; text-decoration: underline; ">openid-specs-ab-bounces@lists.openid.net</a><span class="Apple-converted-space"> </span>[<a href="mailto:openid-specs-ab-bounces@lists.openid.net" style="color: purple; text-decoration: underline; ">openid-specs-ab-bounces@lists.openid.net</a>] on behalf of Anthony Nadalin [<a href="mailto:tonynad@microsoft.com" style="color: purple; text-decoration: underline; ">tonynad@microsoft.com</a>]<br><b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, October 17, 2013 2:04 PM<br><b>To:</b><span class="Apple-converted-space"> </span>Nat Sakimura; Mike Jones<br><b>Cc:</b><span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net" style="color: purple; text-decoration: underline; ">openid-specs-ab@lists.openid.net</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-ab] Spec call notes 17-Oct-13</span><o:p></o:p></p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">If you can’t deploy this stuff it’s no good, it would then be a board issue to approve or disapprove and I know where I would vote</span><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><a name="_MailEndCompose"><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span></a><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 11pt; font-family: Calibri, sans-serif; ">From:</span></b><span style="font-size: 11pt; font-family: Calibri, sans-serif; "><span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab-bounces@lists.openid.net" style="color: purple; text-decoration: underline; ">openid-specs-ab-bounces@lists.openid.net</a><span class="Apple-converted-space"> </span>[<a href="mailto:openid-specs-ab-bounces@lists.openid.net" style="color: purple; text-decoration: underline; ">mailto:openid-specs-ab-bounces@lists.openid.net</a>]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Nat Sakimura<br><b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, October 17, 2013 9:55 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Mike Jones<br><b>Cc:</b><span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net" style="color: purple; text-decoration: underline; ">openid-specs-ab@lists.openid.net</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-ab] Spec call notes 17-Oct-13</span><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I completely disagree. We have feature frozen months ago and we should not allow any feature bloat now. We have decided it and we must adhere to it. <o:p></o:p></div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">It is a process and trust issue. Also, the timing is critical for several things that you probably have already heard. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">If it could not be done with an extension, I would be more sympathetic. However, in this case, you can do it as an extension, and that is still conformant once that extension gets voted. The core does not prohibit it. <o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">And do not mix up Google's postMessage and Form encoding + POSTing. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">The fragment encoding was supposed to be used with postMessage and that's what Google is doing. <o:p></o:p></div></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Even if you had the new feature text on Monday, there is not enough review period. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Also, note that the Monday meeting has no authority to decide on such things. It has to be done in the list, and we have to give ample time to respond. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">We MUST NOT push any new feature through so quickly. <o:p></o:p></div></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Sorry to be a process police here, but that's what I have to do as a chair. <o:p></o:p></div></div></div><div><div style="margin-bottom: 12pt; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">2013/10/18 Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" style="color: purple; text-decoration: underline; ">Michael.Jones@microsoft.com</a>><o:p></o:p></div><blockquote style="border-style: none none none solid; border-left-width: 1pt; border-left-color: rgb(204, 204, 204); padding: 0in 0in 0in 6pt; margin: 5pt 0in 5pt 4.8pt; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I actually think that getting the features right, such that developers will actually use what’s in the spec, rather than do something non-conformant, is more important than a few days of schedule.</span><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">It’s pretty telling that Google, Ping, and Microsoft all are using something other than fragment encoding in some cases for Implicit/Hybrid flows. Far better to enable interop on these non-fragment return types than have everyone do something outside the spec.</span><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">As we said on the call, I’ll write up a concrete proposal so people can review it in advance of Monday.</span><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Yes, we’re late in the process, but far better to make a late addition than to ship something that we know has defects that will cause people to do things not in the spec.</span><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> -- Mike</span><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "> </span><o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span>Nat Sakimura [mailto:<a href="mailto:sakimura@gmail.com" target="_blank" style="color: purple; text-decoration: underline; ">sakimura@gmail.com</a>]<span class="Apple-converted-space"> </span><br><b>Sent:</b><span class="Apple-converted-space"> </span>Thursday, October 17, 2013 9:19 AM<br><b>To:</b><span class="Apple-converted-space"> </span>Mike Jones<br><b>Cc:</b><span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">openid-specs-ab@lists.openid.net</a><br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-ab] Spec call notes 17-Oct-13</span><o:p></o:p></div><div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Please add to the note that Nat has pointed out that this is not the time to add a new feature that it can and should be dealt with extension. <o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Also, John has pointed out that expanding the feature will cause interoperability problems. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">As part of the AOL's OpenID 2.0 provider explanation, it was pointed out that the UI would show flash and button, and that was the reason we have dropped it from the current Connect spec. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">In fact, not only AOL but many others did it in OpenID 2.0 as that was the only option, and it was also something that many of us wanted to escape from. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">The reason sited in support of form POSTing were as follows: <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">1) It is done by SAML and WS. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">2) Fragment would not be able to hold large payload. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">3) If it is not there, implementers will do stupid things like including access token in the query parameter. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">4) If the browser is not Javascript enabled, it is the last resort. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">In the above, 1) does not make sense. The web technology has advanced so much since they were designed. We have considered the option previously and dropped. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">As to 2) is concerned, the statement is false. Fragment can hold pretty big payload. It was tested during the self-issued testing, and we found out that the limit is actually pretty large. We were sending photos as a claim in id_token as a result of it. (Note: I need to double check - since we were concerned mostly on mobile platform, we may not have tested IE.) <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">The reason 3) is not a good one either. We should just write an implementers NOTE that they should never do this. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">As a result, only the credible reason is 4). However, this means that a lot of other things at the destination site will break, too. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">I understand that there are people who want to do it. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Even some of NRI's internal developers wants to do it. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">However, that is not a good enough reason to get it into the core at this point in time. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">In addition, there will be bunch of moving parts that we have to fix if we were to do it. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">We should not do it in three days. We should take more time to consider various implications. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">We are finalizing the core spec now. The cut off date is end of this week. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">It should be done as an extension. I oppose to do it in the core. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Our priority to get the Core out of the door, now. <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div></div><div><div style="margin-bottom: 12pt; "><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">2013/10/17 Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank" style="color: purple; text-decoration: underline; ">Michael.Jones@microsoft.com</a>><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Spec call notes 17-Oct-13<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Mike Jones<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Brian Campbell<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">George Fletcher<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">John Bradley<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Nat Sakimura<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Edmund Jay<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Agenda:<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> Open Issues<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> Multiple response type requests returning values in ways other than fragments<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> Document Restructuring and Review<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Open Issues:<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> #873: session 4.1. Can we use opbs with http (not httponly)<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> We developed proposed text for this<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> #879 & #880: Hosting<span class="Apple-converted-space"> </span><a href="http://self-issued.me/" target="_blank" style="color: purple; text-decoration: underline; ">self-issued.me</a><o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> John will get the cheapest Amazon VM and give Edmund access to it<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Multiple response type requests returning values in ways other than fragments<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> Microsoft has asked for a POST binding, like WS-Federation and SAML have<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> Ping has an extra response_type component x_post<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> This causes the responses to POST to be returned as form-encoded body content<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> Google has a way of registering clients to use a postMessage binding<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> They do that by registering a JavaScript origin, rather than response_type<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> AOL's OpenID 2.0 provider often uses the POST response because of large AX responses<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> John had proposed a registration parameter for this:<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> redirect_type fragment | POST | postMessage<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> This would be discoverable as<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> redirect_types_supported<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> Another reason for this is to not hit fragment size limits<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> Mike will file a bug on this to make a concrete proposal<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> We will discuss this at the Monday meeting<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Document Restructuring and Review:<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> Mike posted a Word version of the Core spec with tracked changes turned on<o:p></o:p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> People are requested to mark it up with specific proposed changes this week<o:p></o:p></div></div><p class="MsoNormal" style="margin: 0in 0in 12pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: purple; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: purple; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br clear="all"><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">--<span class="Apple-converted-space"> </span><br>Nat Sakimura (=nat)<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank" style="color: purple; text-decoration: underline; ">http://nat.sakimura.org/</a><br>@_nat_en<o:p></o:p></div></div></div></div></blockquote></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br clear="all"><o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">--<span class="Apple-converted-space"> </span><br>Nat Sakimura (=nat)<o:p></o:p></div><div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank" style="color: purple; text-decoration: underline; ">http://nat.sakimura.org/</a><br>@_nat_en<o:p></o:p></div></div></div></div></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br><br><o:p></o:p></div><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; ">_______________________________________________<o:p></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; ">Openid-specs-ab mailing list<o:p></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "><a href="mailto:Openid-specs-ab@lists.openid.net" style="color: purple; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><o:p></o:p></pre><pre style="margin: 0in 0in 0.0001pt; font-size: 10pt; font-family: 'Courier New'; "><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color: purple; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></pre></blockquote><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; ">_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" style="color: purple; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" style="color: purple; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></div></div><p class="MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman', serif; "></p></div></div></div></blockquote></div><br></div></body></html>