- changed milestone to Final
-
assigned issue to
space is deliminator while also a legal character in client_id and session state
Issue #917
resolved
The space character is used to concatenate/delimit client_id and session state in the postMessage data but is also a legal character in both of those values.
So it can't be used reliably to parse the two values apart unless additional constraints or assumptions are made about the content of client_id and/or session state.
IMHO, it should be fixed. But if not, it should at least be called out.
There's some discussion on the list (I'm filing this issue so it won't get lost): http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20140203/004598.html
Comments (2)
-
-
- changed status to resolved
Fixed
#917- Session state must not contain the space character→ <<cset 99235161cfc4>>
- Log in to comment
We will prohibit spaces in the session state, which would allow a right split to work regardless of the content of the Client ID. We will also recommend that no spaces be used in Client IDs.