Clone wiki

ab / Design_Decisions_and_Rationales

Design Decisions and Rationales

Core

  • Be Modular
    • Provide building blocks which can be used later to create specific binding and profiles without redefining the core.
  • Use parameter "openid" in Token Endpoint response as cookie to achieve session management.
    • Session management is "hard" to do correctly. Large OPs can help RPs to do it right.
  • Identifier transition support instead of identifier compatibility.
    • We need identifier transition anyways to support moving the IdPs for the users.
    • So, building standard transition mechanism seems to be a better solution than identifier compatibility.
  • Fixed set of core attribute supported from UserInfo endpoint.
    • There has been a lot of complaint on incompatible AX attributes.
    • Fixed set of small number of attributes should be standardized at least.
    • Attributes should be returned from a standard OAuth 2.0 Resource endpoint.
  • Use JWT, JWS, and JWE.
    • Single coherent inter-operable security token framework is sought.
  • Use SWT.
    • We only need a very simple anonymous discovery.
    • Authenticated discovery is taken care of as just a standard OAuth 2.0 endpoint.
  • Why so much replication of OAuth 2.0 while not mentioning OAuth 2.0?
    • We have to wait until OAuth 2.0 finishes for the OAuth 2.0 to be reference-able par the IETF rule.
    • We also wanted to further abstract the OAuth 2.0 so that ABC will be completely protocol independent. This allows us to define bindings on other underlying protocols such as SMTP+CMS or even "Avian Carriers" (RFC1149, RFC2549).

Artifact Binding

  • use "redirect_url" instead of "return_to"
    • In AB, everything except artifact is obtained directly from OP, so there is no notion of "return_to" except for the redirect url for the artifact. Thus, "redirect_url" defined in OAuth2.0 seems to be a better match.
  • Not using "state" as "rpfurl"
    • "rpfurl" is more descriptive, as well as that, for implementation, "state" is useful for other purposes.
  • PKCS1.5 Padding for Signature and not PSS.
    • PSS is hard to find support in some languages right now.

Updated