-
assigned issue to
Edmund Jay
- changed status to open
Messages - 1 Message not properly defined
Issue #51
resolved
The declared goal of the Messages specification is to define the abstract protocol messages and flows.
The "message" term is not formally defined but referenced in ways that are confusing. Specifically, it is unclear whether a message is a OAuth 2 request / response, a token, or a request object defined by some other document (Edmund hinted on a call that it can be all/any of these, depending on context.) This becomes confusing when the Messages document moves to talk about signing/encryption/verifying a message.
See also: http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20110905/000961.html
Comments (7)
-
-
Just as a data point:
- SAML (http://www.oasis-open.org/committees/download.php/35711/sstc-saml-core-errata-2.0-wd-06-diff.pdf )also talks about "messages" but it does not define it. It is used without a definition. Thus the meaning is only implied. What we mean is exactly the same, but unfortunately we cannot point to the definition there.
- WS-Security (http://docs.oasis-open.org/wss/v1.1/wss-v1.1-spec-os-SOAPMessageSecurity.pdf ) also talks about "messages" but it does not define it. It uses it as "SOAP messages" and the semantics are the same with ours but as it does not define it, we cannot borrow it either.
- The SOAP (http://www.w3.org/TR/soap12-part1/) Specification talks about messages, but again, it does not define it.
- REST uses 'messages' but it neither defines it explicitly.
So, to solve this issue, we cannot draw precedence from them.
When we dive one layer deeper, HTTP 1.1 actually defines Messages.
- HTTP messages consist of requests from client to server and responses from server to client.
Unfortunately, "request" and "response" as implicit, but I guess that is ok.
Given it is ok to use implicit definitions for request and response, my shot at the moment is something like:
Messages
OpenID Connect Messages consist of Claims requests from client to server and Claims responses from server to client about an Entity.
BTW, is there a good word for a "Claim request"?
-
Account Deleted
The core problem here is not the lack of a definition for what a message is, though that would be an ideal solution for clarifying things in my opinion.
The problem is that the Messages document makes contradictory statements about "messages". If these statements can be clarified and made consistent somehow without a formal definition for messages that's fine. However, given that very name of the document is "Messages", I believe a definition would be in order.
-
Account Deleted
SAML has a good definition for "assertions" which constitute, in effect, their abstract messages.
SOAP does define what a message is, in section 5 SOAP Message Construct (and WS-Security uses this).
-
Drop "Each message may be signed and encrypted. " Move the rest of the paragraph to Section 5.
Define Messages as:
Message
A request or a response between an OpenID Relying Party and an OpenID Provider.
-
- changed status to resolved
Fix
#51- Message not properly defined. -
-
assigned issue to
Nat Sakimura
-
assigned issue to
- Log in to comment
