From what I read, you've defined something that uses an OAuth 2 code flow to
get an extra token which is specified as a JWT. You named it session_token
instead of id_token, and you've left off the User Information Endpoint --
but other than that, this is exactly the Basic Client for OpenID
The oidc specs do not allow this simple an implementation. The spec members
have not shown interest in making changes as they say they are too far down the
road.
I have tried to make my draft as close as possible to oidc but maybe it
shouldn't be clarity wise. I am interested in what the group
What do you mean? You absolutely can implement a compliant OIDC server nearly
as simply as this. The things that you're missing I think are necessary for
basic interoperable functionality, and are things that other folks using OAuth
for authentication have also implemented. Namely:
- Signing
That's what people thought with OpenID 2.0, and they were wrong then, too, if
you ask me. Even then, userinfo endpoint isn't MTI anyway.
-- Justin
On Jul 30, 2013, at 11:25 AM, Phil Hunt
phil.h...@oracle.commailto:phil.h...@oracle.com
wrote:
The whole point is authn only. Many do not want
Yes, that.
On Tue, Jul 30, 2013 at 4:46 PM, Richer, Justin P. jric...@mitre.orgwrote:
Yes, I agree that the giant stack of documents is intimidating and in my
opinion it's a bit of a mess with Messages and Standard split up (but I
lost that argument years ago).
I always think I pretty much understand OIDC until I see the specs list
On 7/30/13 12:39 PM, Brian Campbell wrote:
Yes, that.
On Tue, Jul 30, 2013 at 4:46 PM, Richer, Justin P. jric...@mitre.org
mailto:jric...@mitre.org wrote:
Yes, I agree that the giant stack of documents is
So it's not the protocol that's the problem, it's the documentation. For that
I'm 100% with you all. However, I really don't think that the right response to
that is we'll just invent something new and incompatible with slightly
different names -- it's to document the protocol better.
--
To: Brian Campbell bcampb...@pingidentity.com,
Cc: oauth@ietf.org WG oauth@ietf.org
Date: 07/30/2013 12:59 PM
Subject:Re: [OAUTH-WG] New Version Notification for
draft-hunt-oauth-v2-user-a4c-00.txt
Sent by:oauth-boun...@ietf.org
I always think I pretty much understand OIDC
Right. Anyone who agreed to IPR could have proposed the text in the work
group.
Re: Messages and Standard
Messages were supposed to be the collection of terminology and parameters
sets.
Standard was meant to be HTTP binding, which would effectively make it
OAuth 2.0 + authentication + identity.