1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Standard - 2.2.6.1 Add ID Token Validation text

Issue #841 resolved
Nat Sakimura created an issue

It references Section 2.1.2 of OpenID Connect Messages 1.0 as what is being returned using this binding.

IMHO, it is rather important to call out the validation section as well, since reader may just think "oh that's just a format" and does not follow the validation requirement set forth in Section 4 of OpenID Connect Messages 1.0 here as well.

Also, the validation section may call out the HTTP specific precautions, such as checking the binding between the state parameter or nonce to cookie, etc.

Comments (11)

  3. Nat Sakimura reporter

    Insert the following as the 3rd paragraph:

    The client MUST validate the response as follows:

    Case 1: response_type=code

    1. Follow all the verification rules in RFC 6749.

    Case 2: response_type=token id_token

    1. Follow all the verification rules in RFC 6749.
    2. Follow the validation rules in 4.2 and 4.4 of Messages [OpenID.Messages]

    Case 3: response_type=code id_token

    1. Follow all the verification rules in RFC 6749.
    2. Follow the validation rules in 4.2 and 4.5 of Messages [OpenID.Messages]

    Case 4: response_type=token code

    1. Follow all the verification rules in RFC 6749.

    Case 5: response_type=token code id_token

    1. Follow all the verification rules in RFC 6749.
    2. Follow the validation rules in 4.2, 4.3, and 4.5 of Messages [OpenID.Messages]

    BTW we seem to use 'verification' and 'validation' almost interchangeably. Should we just standardize on 'verification'?

    According to OED,

    verification, n.

    1. The action of demonstrating or proving to be true or legitimate by means of evidence or testimony; formal assertion of truth. Now rare.
    2. Demonstration of truth or correctness by facts or circumstances.
    3. a. The action of establishing or testing the truth or correctness of a fact, theory, statement, etc., by means of special investigation or comparison of data. b. The action of verifying or testing the accuracy of an instrument, or the quality of goods. Also attrib.

    validation, n.

    a. The action of validating or making valid.

    So, here, we actually are talking about verification and not validation.

  4. Michael Jones

    We shouldn't standardize on "verification", for the reasons that led to issue #666 and the edits to resolve it. Given they mean different things, we should keep using the correct term in the correct place for the intended meaning in that context.

    Thanks for supplying the specific text. I'll apply it shortly.

  5. Nat Sakimura reporter

    In view of the verification v.s. validation discussion, I amend my proposed text to the following:

    The client MUST validate the response as follows:

    Case 1: response_type=code

    1. Validate the response according to RFC 6749, especially that of section 4.1.2 and 10.12.

    Case 2: response_type=token id_token

    1. Verify that the response conforms to Section 5. of [OAuth.Responses]
    2. Follow all the validation rules in RFC 6749, especially that of section 4.2.2 and 10.12.
    3. Follow the validation rules in 4.2 and 4.4 of Messages [OpenID.Messages]

    Case 3: response_type=code id_token

    1. Verify that the response conforms to Section 5. of [OAuth.Responses]
    2. Follow all the validation rules in RFC 6749, especially that of section 4.2.2 and 10.12.
    3. Follow the validation rules in 4.2 and 4.5 of Messages [OpenID.Messages]

    Case 4: response_type=token code

    1. Verify that the response conforms to Section 5. of [OAuth.Responses]
    2. Follow all the validation rules in RFC 6749, especially that of section 4.2.2 and 10.12.

    Case 5: response_type=token code id_token

    1. Verify that the response conforms to Section 5. of [OAuth.Responses]
    2. Follow all the validation rules in RFC 6749, especially that of section 4.2.2 and 10.12.
    3. Follow the validation rules in 4.2, 4.3, and 4.5 of Messages [OpenID.Messages]
  8. Michael Jones
    • changed status to open

    Nat, please review. I added the missing case 6. Also, it seems that we're missing case 7 - response_type=id_token in both the example and the validation section. I believe that we need to add these.

  10. Michael Jones

    We will move the new text before the non-normative examples. We will also add "case 7: response_type=id_token".

  12. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
resolved
Component
Standard
Milestone
Implementer's Draft
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!