Design Decisions and Rationales
- Be Modular
- Provide building blocks which can be used later to create specific binding and profiles without redefining the core.
- Use parameter "openid" in Token Endpoint response as cookie to achieve session management.
- Session management is "hard" to do correctly. Large OPs can help RPs to do it right.
- Identifier transition support instead of identifier compatibility.
- We need identifier transition anyways to support moving the IdPs for the users.
- So, building standard transition mechanism seems to be a better solution than identifier compatibility.
- Fixed set of core attribute supported from UserInfo endpoint.
- There has been a lot of complaint on incompatible AX attributes.
- Fixed set of small number of attributes should be standardized at least.
- Attributes should be returned from a standard OAuth 2.0 Resource endpoint.
- Use JWT, JWS, and JWE.
- Single coherent inter-operable security token framework is sought.
- Use SWT.
- We only need a very simple anonymous discovery.
- Authenticated discovery is taken care of as just a standard OAuth 2.0 endpoint.
- Why so much replication of OAuth 2.0 while not mentioning OAuth 2.0?
- We have to wait until OAuth 2.0 finishes for the OAuth 2.0 to be reference-able par the IETF rule.
- We also wanted to further abstract the OAuth 2.0 so that ABC will be completely protocol independent. This allows us to define bindings on other underlying protocols such as SMTP+CMS or even "Avian Carriers" (RFC1149, RFC2549).
- use "redirect_url" instead of "return_to"
- In AB, everything except artifact is obtained directly from OP, so there is no notion of "return_to" except for the redirect url for the artifact. Thus, "redirect_url" defined in OAuth2.0 seems to be a better match.
- Not using "state" as "rpfurl"
- "rpfurl" is more descriptive, as well as that, for implementation, "state" is useful for other purposes.
- PKCS1.5 Padding for Signature and not PSS.
- PSS is hard to find support in some languages right now.