[OpenID] Comments on openid-igov-openid-connect-1_0 draft 02
Manger, James
Comments on “International Government Assurance Profile (iGov) for OpenID Connect 1.0 - Draft 02” http://openid.net/specs/openid-igov-openid-connect-1_0.html:
·
Comments on “International Government Assurance Profile (iGov) for OAuth 2.0 - Draft 02” http://openid.net/specs/openid-igov-oauth2-1_0.html:
· §2.1.1 “Requests to the Authorization Endpoint” says clients "MUST include their full redirect URIs in the authorization request", but the example doesn't include it. The example has client_id, nonce, response_type and scope parameters; not no redirect_uri.
· §2.1.1 It should also be “URI” singular (not “URIs” plural) as though a client might have multiple URIs registered, it can only include 1 in any particular request.
· §2.1.2 Example POST to /token doesn't include redirect_uri.
· §4.2 typo "acceept" → "accept"
--
James Manger
Manger, James
Comments on “International Government Assurance Profile (iGov) for OAuth 2.0 - Draft 02” http://openid.net/specs/openid-igov-oauth2-1_0.html:
· §2.1.1 “Requests to the Authorization Endpoint” says clients "MUST include their full redirect URIs in the authorization request", but the example doesn't include it. The example has client_id, nonce, response_type and scope parameters; not no redirect_uri.
· §2.1.1 It should also be “URI” singular (not “URIs” plural) as though a client might have multiple URIs registered, it can only include 1 in any particular request.
· §2.1.2 Example POST to /token doesn't include redirect_uri.
· §4.2 typo "acceept" → "accept"
Comments on
·
P.S. It is a pity it isn’t easy to comment on spec when their review periods and votes are announced to the whole OpenID Foundation. All members are asked to vote (and many are need to reach a quorum), but only those within the specific working group can send email to its list. Or perhaps openid-...@lists.openid.net is the right place for these sorts of comments from non-group members.
--
James Manger
Manger, James
Comments on “International Government Assurance Profile (iGov) for OpenID Connect 1.0 - Draft 02” http://openid.net/specs/openid-igov-openid-connect-1_0.html:
§3.1 “ID Tokens” Both examples are wrong.
·
The 1st example is missing a dot between the 2nd & 3rd segments of the JWT.
WRONG …MTJ9mQc0…
RIGHT …MTJ9.mQc0…
· The 1st segment decodes to {"alg":"RS256"}, which is inadequate. It at least needs a “kid” member.
·
The “iss” value in the base64url-encoding escapes “/” as “\/”, which unnecessary but allowed. However, when shown as JSON in
the 2nd example the escaping is wrong.
WRONG "iss": "https:\\/\\/idp-p.example.com\\/",
BEST "iss": "https://idp-p.example.com/",
OKAY "iss": "https:\/\/idp-p.example.com\/",
· The JSON shows a "vot": "" member that is not present in the base64url-encoding. If “vot” was present, the text says “vtm” is REQUIRED.
· §3.2 “UserInfo Endpoint” example Bearer token is wrong: dot is in the wrong place. Probably should be “…MTJ9.iHM…” instead of “…MTJ9i.HM…”.
· §3.2 “UserInfo Endpoint” example “iss” is missing trailing “/”
· §3.6 “Discovery” Text says the discovery doc MUST include a “vot” field, but no such field is in the example. And it would be more consistent with other members to label it, say, “vot_values_supported”.
Comments on “International Government Assurance Profile (iGov) for OAuth 2.0 - Draft 02” http://openid.net/specs/openid-igov-oauth2-1_0.html:
· §2.1.1 “Requests to the Authorization Endpoint” says clients "MUST include their full redirect URIs in the authorization request", but the example doesn't include it. The example has client_id, nonce, response_type and scope parameters; not no redirect_uri.
· §2.1.1 It should also be “URI” singular (not “URIs” plural) as though a client might have multiple URIs registered, it can only include 1 in any particular request.
· §2.1.2 Example POST to /token doesn't include redirect_uri.
· §4.2 typo "acceept" → "accept"
P.S. Apologies for a couple of incomplete previous emails. What I thought as a shortcut for § was treated as a shortcut for “Send” ; (
--
James Manger