Standard - 2.2.6.1 Add ID Token Validation text
It references Section 2.1.2 of OpenID Connect Messages 1.0 as what is being returned using this binding.
IMHO, it is rather important to call out the validation section as well, since reader may just think "oh that's just a format" and does not follow the validation requirement set forth in Section 4 of OpenID Connect Messages 1.0 here as well.
Also, the validation section may call out the HTTP specific precautions, such as checking the binding between the state parameter or nonce to cookie, etc.
Comments (11)
-
-
reporter - changed status to open
Nat to provide the text.
-
reporter Insert the following as the 3rd paragraph:
The client MUST validate the response as follows:
Case 1: response_type=code
- Follow all the verification rules in RFC 6749.
Case 2: response_type=token id_token
- Follow all the verification rules in RFC 6749.
- Follow the validation rules in 4.2 and 4.4 of Messages [OpenID.Messages]
Case 3: response_type=code id_token
- Follow all the verification rules in RFC 6749.
- Follow the validation rules in 4.2 and 4.5 of Messages [OpenID.Messages]
Case 4: response_type=token code
- Follow all the verification rules in RFC 6749.
Case 5: response_type=token code id_token
- Follow all the verification rules in RFC 6749.
- Follow the validation rules in 4.2, 4.3, and 4.5 of Messages [OpenID.Messages]
BTW we seem to use 'verification' and 'validation' almost interchangeably. Should we just standardize on 'verification'?
According to OED,
verification, n.
- The action of demonstrating or proving to be true or legitimate by means of evidence or testimony; formal assertion of truth. Now rare.
- Demonstration of truth or correctness by facts or circumstances.
- a. The action of establishing or testing the truth or correctness of a fact, theory, statement, etc., by means of special investigation or comparison of data. b. The action of verifying or testing the accuracy of an instrument, or the quality of goods. Also attrib.
validation, n.
a. The action of validating or making valid.
So, here, we actually are talking about verification and not validation.
-
- changed milestone to Implementer's Draft
-
assigned issue to
We shouldn't standardize on "verification", for the reasons that led to issue
#666and the edits to resolve it. Given they mean different things, we should keep using the correct term in the correct place for the intended meaning in that context.Thanks for supplying the specific text. I'll apply it shortly.
-
reporter In view of the verification v.s. validation discussion, I amend my proposed text to the following:
The client MUST validate the response as follows:
Case 1: response_type=code
- Validate the response according to RFC 6749, especially that of section 4.1.2 and 10.12.
Case 2: response_type=token id_token
- Verify that the response conforms to Section 5. of [OAuth.Responses]
- Follow all the validation rules in RFC 6749, especially that of section 4.2.2 and 10.12.
- Follow the validation rules in 4.2 and 4.4 of Messages [OpenID.Messages]
Case 3: response_type=code id_token
- Verify that the response conforms to Section 5. of [OAuth.Responses]
- Follow all the validation rules in RFC 6749, especially that of section 4.2.2 and 10.12.
- Follow the validation rules in 4.2 and 4.5 of Messages [OpenID.Messages]
Case 4: response_type=token code
- Verify that the response conforms to Section 5. of [OAuth.Responses]
- Follow all the validation rules in RFC 6749, especially that of section 4.2.2 and 10.12.
Case 5: response_type=token code id_token
- Verify that the response conforms to Section 5. of [OAuth.Responses]
- Follow all the validation rules in RFC 6749, especially that of section 4.2.2 and 10.12.
- Follow the validation rules in 4.2, 4.3, and 4.5 of Messages [OpenID.Messages]
-
Perfect. I'll add this as written.
-
- changed status to resolved
Fixed
#841- Described verification requirements for Authorization Server responses.→ <<cset 0acb39df11ff>>
-
- changed status to open
Nat, please review. I added the missing case 6. Also, it seems that we're missing case 7 - response_type=id_token in both the example and the validation section. I believe that we need to add these.
-
-
assigned issue to
-
assigned issue to
-
We will move the new text before the non-normative examples. We will also add "case 7: response_type=id_token".
-
- changed status to resolved
- Log in to comment
Again, please supply the precise text that you want to appear where.