Actually, there is a very clear definition of what the minimal Mandatory To
Implement (MTI) in OpenID Connect is - it's right in the spec. See the (quite
short) sections:
15.1.<http://openid.net/specs/openid-connect-core-1_0.html#ServerMTI>
Mandatory to Implement Features for All OpenID Providers
15.2.<http://openid.net/specs/openid-connect-core-1_0.html#DynamicMTI>
Mandatory to Implement Features for Dynamic OpenID Providers
-- Mike
-----Original Message-----
From: OAuth [mailto:[email protected]] On Behalf Of Prateek Mishra
Sent: Friday, June 13, 2014 9:24 AM
To: Bill Burke; Phil Hunt
Cc: [email protected]
Subject: Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c
Excellent, now you have put your finger on the precise issue with OIDC - lots
of optional extensions and shiny trinkets and lack of a clear definition of a
core subset for servers.
I realize its exciting for consultants, software and toolkit vendors to have
that sort of optionality, but in practice, its NOT A GOOD THING in a protocol.
[quote]
>
>> It is a bit like saying an 18 wheeler is suitable for driving the
>> kids to school. :-)
>
> I don't think this is true. Most oidc oauth extensions are optional
> with the sole requirement that providers don't barf if you send them.
>
[\quote]
_______________________________________________
OAuth mailing list
[email protected]<mailto:[email protected]>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
