<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">+1 <br>
<br>
This is a non normative overview text so that level of abstruction
may work better. <br>
<br>
Nat<br>
<br>
(2014/01/06 22:09), John Bradley wrote:<br>
</div>
<blockquote
cite="mid:1C42A2FB-EC07-4A40-A3C8-BBE7B7749233@ve7jtb.com"
type="cite">
<meta http-equiv="Context-Type" content="text/html;
charset=iso-8859-1">
Good point, the code token response returns the id_token from the
token endpoint.
<div><br>
</div>
<div>So while code is always returned in the fragment, token and
id_token are optional in the fragment depending on the response
type.</div>
<div><br>
</div>
<div>That would make "Authorization Server Sends the End-User back
to the Client with an Authorization Code and, depending on the
response_type one or both of ID Token , Access Token"</div>
<div>The most correct. </div>
<div><br>
</div>
<div>This is a high level flow description so we could say:</div>
<div>"Authorization Server Sends the End-User back to the Client
with an Authorization Code and, depending on the response_type
one or more additional parameters"</div>
<div>That makes it read better.</div>
<div><br>
</div>
<div>There is always a second parameter otherwise it is a code
flow.</div>
<div><br>
</div>
<div>John B.</div>
<div><br>
<div>
<div>On Jan 6, 2014, at 2:29 AM, Ryo Ito <<a
moz-do-not-send="true" href="mailto:ritou.06@gmail.com">ritou.06@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div dir="ltr">
<div>> code is actually always returned in successful
response</div>
<div>OK</div>
<div><br>
</div>
<div>> + 5. Authorization Server Sends the End-User
back to the Client with an ID Token, an Authorization
Code and, if requested, an Access Token.</div>
<div><br>
</div>
<div>At the table of OpenID Connect "response_type"
Values, hybrid flow may not require ID Token in
authorization response.</div>
<div><br>
</div>
<div>> | code id_token | Hybrid Flow |</div>
<div>
> | code token | Hybrid Flow |</div>
<div>> | code id_token token | Hybrid Flow |</div>
<div><br>
</div>
<div>Ryo</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014/1/5 John Bradley <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>></span><br>
<blockquote class="gmail_quote">
<div>The response types "id_token token" and
"id_token" are now covered in implicit. I think the
language was intended to cover the "id_token"
response type before refactoring.
<div>
<br>
</div>
<div>The current text is not strictly incorrect but
is misleading as the Authorization code is always
requested in the Hybrid flow.<br>
<div><br>
</div>
<div>Nat and Ryo's proposed change is less
confusing and is editorial in my opinion.</div>
<div><br>
</div>
<div>John B.</div>
<div>
<div class="h5">
<div><br>
</div>
<div>
<div>
<div>On Jan 5, 2014, at 2:04 AM, Nat
Sakimura <<a moz-do-not-send="true"
href="mailto:sakimura@gmail.com"
target="_blank">sakimura@gmail.com</a>>
wrote:</div>
<br>
<blockquote type="cite">
<div dir="ltr">Good catch.
<div>Though, in hybrid flow, code is
actually always returned in
successful response so it would be </div>
<div><br>
</div>
<div>- 5. Authorization Server Sends
the End-User back to the Client with
an ID Token and, if requested, an
Authorization Code and/or Access
Token.<br>
</div>
<div>+ 5. Authorization Server Sends
the End-User back to the Client with
an ID Token, an Authorization Code
and, <span>if requested, an</span> Access Token.</div>
<div><br>
</div>
<div>If it does not return an
authorization code, it is an
implicit flow. </div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2014/1/5 Ryo
Ito <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:ritou.06@gmail.com"
target="_blank">ritou.06@gmail.com</a>></span><br>
<blockquote class="gmail_quote">
<div dir="ltr">
<div>Hybrid flow includes code
in authorization response.<br>
</div>
<div><br>
</div>
<div>Step 5 should be corrected
as follows.</div>
<div><br>
</div>
<div>- 5. Authorization Server
Sends the End-User back to the
Client with an ID Token and,
if requested, an Authorization
Code and/or Access Token.</div>
<div>+ 5. Authorization Server
Sends the End-User back to the
Client with an Code and, if
requested, an Authorization ID
Token and/or Access Token.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Ryo.</div>
<span>
<div>
<br>
</div>
-- <br>
====================<br>
Ryo Ito<br>
Email : <a
moz-do-not-send="true"
href="mailto:ritou.06@gmail.com"
target="_blank">ritou.06@gmail.com</a><br>
====================
</span></div>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
</blockquote>
</div>
<br>
<br>
<div><br>
</div>
-- <br>
Nat Sakimura (=nat)
<div>Chairman, OpenID Foundation<br>
<a moz-do-not-send="true"
href="http://nat.sakimura.org/"
target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en</div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br>
<div><br>
</div>
-- <br>
====================<br>
Ryo Ito<br>
Email : <a moz-do-not-send="true"
href="mailto:ritou.06@gmail.com">ritou.06@gmail.com</a><br>
====================
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Nat Sakimura (<a class="moz-txt-link-abbreviated" href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a>)
Nomura Research Institute, Ltd.
<a class="moz-txt-link-freetext" href="Tel:+81-3-6274-1412">Tel:+81-3-6274-1412</a> Fax:+81-3-6274-1547
本メールに含まれる情報は機密情報であり、宛先に記載されている方のみに送信することを意図しております。意図された受取人以外の方によるこれらの情報の開示、複製、再配布や転送など一切の利用が禁止されています。誤って本メールを受信された場合は、申し訳ござӓ
6;|
14;せんが、送信者までお知らせいただき、受信されたメールを削除していただきますようお願い致します。
PLEASE READ:
The information contained in this e-mail is confidential and intended for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.
</pre>
</body>
</html>