1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

All - Create a MTI section

Issue #604 resolved
Nat Sakimura created an issue

There's been a discussion about Mandatory to Implement (MTI) features on the list We need to do a pass over the specs and make it clear what is MTI for IdPs Things that are optional to send are not necessarily optional to implement Brian said that there is text saying that support for the request object is optional We need to be clearer For instance, if an IdP doesn't understand the request object, should it say so? Similarly, we need to clarify requirements for the display and prompt parameters

           We need to be clearer that the scopes are shorthands, not the primary mechanisms
                          This was not universally understoodThere's been a discussion about Mandatory to Implement (MTI) features on the list
           We need to do a pass over the specs and make it clear what is MTI for IdPs
           Things that are optional to send are not necessarily optional to implement
           Brian said that there is text saying that support for the request object is optional
           We need to be clearer
           For instance, if an IdP doesn't understand the request object, should it say so?
           Similarly, we need to clarify requirements for the display and prompt parameters

           We need to be clearer that the scopes are shorthands, not the primary mechanisms
                          This was not universally understood

Comments (5)

  1. Michael Jones

    Decisions: Servers must understand the request object. Servers must understand signed request objects. It's optional for servers to understand encrypted request objects. It's optional for clients to understand aggregated and distributed claims.

    Open Issues to Specify: Does server have to support UserInfo endpoint? Does server have to be able to sign UserInfo endpoint response? Does server have to understand acr? (many others)

    Nat will make a list of issues and a proposal for the October 2012 in-person WG meeting.

  3. Michael Jones

    Per the discussions at the 22-Oct-12 working group meeting at Google, for OPs, there will be different sets of MTI features for "open" systems (another possible term suggested is "dynamic") and "closed" systems (other possible terms are "static", "pre-negotiated", "cold-boot", and "out-of-band").

    MTI features for OPs include: OpenID request object for claims requests, RSA signing, Discovery and Registration for "open" systems, UserInfo endpoint for "open" systems, preferred_locales (in the sense that it must not throw an exception).

    OPs can ignore acr if they don't understand it.

    People didn't think that requiring signing the userinfo response should be MTI.

    Breno suggested that we may want a discovery error saying that static registration is required.

  6. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Milestone
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!