[Openid-specs-fapi] Fwd: [Bitbucket] Pull request #90: new document describing the lodging intent pattern (openid/fapi)

Torsten Lodderstedt torsten at lodderstedt.net
Thu Jan 31 17:45:15 UTC 2019


Hi Ralph, 

** move the discussion to the list to give the WG a chance to contribute ***

Thanks for your feedback. 

I trink using a fully qualified URL might solve some problems but creates new problems as the AS has to ensure the URL refers to a legit resource to prevent injection and other sorts of attacks. So at least the AS must maintain a whitelist of base URLs.

kind regards,
Torsten. 

> Anfang der weitergeleiteten Nachricht:
> 
> Von: "Ralph Bragg" <pullrequests-reply at bitbucket.org>
> Betreff: Aw: [Bitbucket] Pull request #90: new document describing the lodging intent pattern (openid/fapi)
> Datum: 26. Januar 2019 um 20:27:00 MEZ
> An: torsten at lodderstedt.net
> 
>                                  	
> Ralph Bragg commented on pull request #90:
> new document describing the lodging intent pattern <https://bitbucket.org/openid/fapi/pull-requests/90/new-document-describing-the-lodging-intent#comment-89416617>
> It’s a good idea to write a document detailing all of the combinations. Given that typically the staging of the consent will result in an object creation 201 etc i’d like too see one of the examples reference the created resource by URI explicitly rather than another abstraction. You touch on the various options for the RS and AS staging or hosting a functional request, by using a fully qualified URI in a similar manner to the request_uri parameter a lot of the issues with trying to technically locate and build URIs and retrieve the consents from the AS could be avoided.
> If i had the time again, I would have pushed hard for the OBIE to use an explicit resource not a referencee too it despite the concerns over the limitations in size of query string parameters.
> View this pull request <https://bitbucket.org/openid/fapi/pull-requests/90/new-document-describing-the-lodging-intent#comment-89416617> or add a comment by replying to this email.
> Unwatch this pull request <https://bitbucket.org/openid/fapi/pull-requests/90/unwatch/tlodderstedt/873891367895c8c139204ff38b1454aeecf78fc0a731b964909d7cdbdc00d32e/> to stop receiving email updates.		             <https://bitbucket.org/>         

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190131/71559be4/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3923 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20190131/71559be4/attachment.p7s>


More information about the Openid-specs-fapi mailing list