<div dir="ltr"><div><div>Session state (<a href="http://openid.net/specs/openid-connect-session-1_0.html#CreatingUpdatingSessions" target="_blank">defined as a "JSON string"</a>) can have spaces as well. <br><br>
</div>Yes, there are ways to work around it given knowledge of the client id and session state values, which are (mostly) at the discretion of the OP. <br>
<br>Seems less than ideal that the spec would sometimes require special handling to extract the two values out of the postMessage data. But yeah, if it's going to stay that way, I'd say it's worth calling out and explaining.<br>
<br></div><div>Was there a reason the two values weren't mashed together using JSON or whatever?<br>
</div><div><div><br><br><br></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Feb 4, 2014 at 8:47 AM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word">Yes that would be a problem. The example in 4.2 should probably be doing a slice(0, lastIndexOf(' ')) rather than a split(' ').<div>
<br></div><div>Or whatever the correct JS syntax is to split on the rightmost ' '. Having spaces in the client ID is not ideal, but it is not the end of the world as long as there are no spaces in the session state.</div>
<div><br></div><div>In principal as the client_id is issued by the AS it would know if split(' ') is safe to use.</div><div><br></div><div>Worth calling out though.</div><div><br><div><div class="im"><div>On Feb 4, 2014, at 12:28 PM, Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a>> wrote:</div>
<br></div><blockquote type="cite"><div class="im"><div dir="ltr"><div>In <a href="http://openid.net/specs/openid-connect-session-1_0.html#RPiframe" target="_blank">4.1 of Session Management </a>"The postMessage from the RP iframe delivers the
following concatenation as the data: <b>Client ID + " " + Session State</b>"
and 4.2 the OP has to <br><br></div>Wouldn't that break for client ids that contain spaces, when in <a href="http://openid.net/specs/openid-connect-session-1_0.html#OPiframe" target="_blank">section 4.2</a>, the OP attempts to parse those two items out from the data (and yes, spaces are allowed per the <a href="http://tools.ietf.org/html/rfc6749#appendix-A.1" target="_blank">client_id ABNF in RFC 6749</a>)?<br>
<br><br></div></div>
_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div><br></div></div></blockquote></div><br></div>