trust_mark as a query parameter
https://openid.net/specs/openid-connect-federation-1_0.html (draft 24) doesn’t have any restrictions on the size of trust marks, which could easily become an issue when a trust mark is passed as a query parameter in the status endpoint (see section 7.4.1). JWTs can be silently truncated because of the size limits on HTTP request headers presented by various server implementations.
It makes sense to allow the processing of an HTTP POST request as well in order to mitigate this sort of issue (or completely move to move to an HTTP POST request).
Comments (7)
-
-
reporter I’m wondering why? Who wants to deal with the issues caused by randomly truncated signatures of JWTs?
-
Hi Tom, I really don’t remember your proposal but if I missed it please accept my excuses.
I think that we really need to adopt HTTP POST instead of GET, so if the other editors agree I’ll do a PR for this -
-
assigned issue to
-
assigned issue to
-
This is the PR that resolves this issue
https://bitbucket.org/openid/connect/pull-requests/346/fix-federation-trust-mark-status-http -
the proposal was for a get with a query string. Be the change you want to see in the world ..tom
-
- changed status to resolved
- Log in to comment
this was a proposal i made earlier which was rejected.