openid / connect / issues / #575 - Messages 2.1.2.1 and Standard 2.3.1.2 - Inconsistent treatment of OAuth parameters in OpenID request message — Bitbucket

Issue #575 resolved

Michael Jones created an issue 2012-04-19

As reported by Vladimir Dzhuvinov, http://openid.net/specs/openid-connect-standard-1_0-09.html#req_param_method says

"All [...] parameters MUST also be JSON Serialized into the OpenID Request Object with the same values."

whereas http://openid.net/specs/openid-connect-messages-1_0-09.html#OpenID_Request_Object says

"If the same parameters are present both in the Authorization Request and in the OpenID Request Object, the latter takes precedence."

This is both inconsistent and confusing.

Comments (2)

Michael Jones reporter
- assigned issue to
  
  John Bradley
- changed status to open
We agreed to change Messages and Standard to state that it is optional to also include OAuth parameters in the OpenID request object, but that if they are in both places, they MUST match.

Optional OAuth parameters MAY be present only in the OpenID Request object. The one exception to this is that that the scope parameter is the one OAuth parameter that MUST be present in the OAuth request (so the "openid" scope is always present in the OAuth request).
- 2012-04-19T13:19:14+00:00
Michael Jones reporter
- changed status to resolved
Fix ~~#575~~ Messages 2.1.2.1 and Standard 2.3.1.2 - Inconsistent treatment of OAuth parameters in OpenID request message

→ a29da5464d3b
- 2012-05-18T21:53:57+00:00
Log in to comment

Assignee: John Bradley

Type: bug

Priority: major

Status: resolved

Component: –

Milestone: –

Version: –

Votes: 0

Watchers: 0

Jira: the preferred issue tracker for Bitbucket. Join the team!