<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font size="+1"><font face="Arial">m<font face="Arial">y point was
that if the AS knew the use<font face="Arial">r was<font
face="Arial">nt authorized for any apps<font face="Arial">,
it wouldnt give the TA any tokens<font face="Arial">. <br>
<br>
If it did indeed g<font face="Arial">ive</font> the TA
an access token, then is it not fair to presume that
the AppInfo will in<font face="Arial">clude at least
one app?<br>
<br>
<font face="Arial">paul<br>
<br>
</font></font></font></font></font></font></font></font></font>
<div class="moz-cite-prefix">On 9/29/14, 7:29 PM, John Bradley
wrote:<br>
</div>
<blockquote
cite="mid:BB453366-2598-411C-921C-DE6B47C22DBE@ve7jtb.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Inline<br>
<div>
<div>On Sep 29, 2014, at 8:09 PM, Paul Madsen <<a
moz-do-not-send="true" href="mailto:paul.madsen@gmail.com">paul.madsen@gmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000"> <font size="+1"><font
face="Arial">inline</font></font><br>
<div class="moz-cite-prefix">On 9/29/14, 3:03 PM, John
Bradley wrote:<br>
</div>
<blockquote
cite="mid:19914753-1994-4907-99B8-49284E236EA2@ve7jtb.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Inline<br>
<div>
<div>On Sep 29, 2014, at 1:23 PM, Emily Xu <<a
moz-do-not-send="true" href="mailto:exu@vmware.com">exu@vmware.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;
font-size: 14px; font-family: Calibri, sans-serif;">
<div>I have a couple of questions related to NAPPS
AppInfo endpoint.</div>
<div><br>
</div>
<div>1. In Section 7.2.1, it says "Access Token
obtained from an OpenID Connect Authorization
Request". I assume it means the access_token
should contain "openid" in scope. Is it correct?</div>
</div>
</blockquote>
<div><br>
</div>
The format of access tokens issued by the Authorization
endpoint for the AppInfo endpoint is unspecified, as the
AppInfo endpoint and the AS are tightly related and the
tokens are opaque to the client.</div>
<div><br>
</div>
<div>The Authorization request MUST have "openid" in the
scopes requested. It is however up to the AS to decide
if that needs to be indicated in the access token.</div>
<div><br>
<blockquote type="cite">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;
font-size: 14px; font-family: Calibri, sans-serif;">
<div><br>
</div>
<div>2. In Section 7.2.2, it says</div>
<div> "apps</div>
<div>REQUIRED (Array). One or more JSON objects
containing claims about applications that the <em>TA</em>
can provide tokens or web boot-stap uri for."</div>
</div>
</blockquote>
<blockquote type="cite">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;
font-size: 14px; font-family: Calibri, sans-serif;">
<div><br>
</div>
<div>Any reason it must be "One or more" instead of
"Zero or more"? If there is zero app authorized
for this particular user, what the response should
be?</div>
</div>
</blockquote>
<div><br>
</div>
OK Good point if there are no apps then it would be an
empty array. I suspect that was a hold over from the
TA validating the bundleid directly as the TA woulden't
have had much to do with zero apps.</div>
</blockquote>
if the user is authorized for *no* apps, then why would the
AS return tokens to the TA in the first place?<br>
</div>
</blockquote>
<div><br>
</div>
The AS wouldn't</div>
<div><br>
</div>
<div>The problem was that the Appinfo endpoint description of the
list of apps implied that there would be at least one in the
array. </div>
<div><br>
</div>
<div>There might be zero apps listed for the TA. </div>
<div><br>
</div>
<div>Also because an app is listed in the app_info endpoint,
doesn't guarantee that the AS will issue a token at any
particular point in time.</div>
<div><br>
</div>
<div>The TA can try to get a token from the AS anyway, by sending
the bundleID.</div>
<div><br>
</div>
<div><br>
</div>
<div>John B.<br>
<blockquote type="cite">
<div bgcolor="#FFFFFF" text="#000000">
<blockquote
cite="mid:19914753-1994-4907-99B8-49284E236EA2@ve7jtb.com"
type="cite">
<div><br>
</div>
<div>I will make that change.</div>
<div><br>
</div>
<div>John B.<br>
<blockquote type="cite">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;
font-size: 14px; font-family: Calibri, sans-serif;">
<div><span style="text-align: left; "><br>
</span></div>
<div><span style="text-align: left; ">Thanks,</span></div>
<div><span style="text-align: left; ">Emily</span></div>
</div>
_______________________________________________<br>
Openid-specs-native-apps mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-native-apps@lists.openid.net">Openid-specs-native-apps@lists.openid.net</a><br>
<a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="http://lists.openid.net/mailman/listinfo/openid-specs-native-apps">http://lists.openid.net/mailman/listinfo/openid-specs-native-apps</a><br>
</blockquote>
</div>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-native-apps mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Openid-specs-native-apps@lists.openid.net">Openid-specs-native-apps@lists.openid.net</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-native-apps">http://lists.openid.net/mailman/listinfo/openid-specs-native-apps</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</blockquote>
<br>
</body>
</html>