Actually, there is a very clear definition of what the minimal Mandatory To Implement (MTI) in OpenID Connect is - it's right in the spec. See the (quite short) sections:
15.1.<http://openid.net/specs/openid-connect-core-1_0.html#ServerMTI> Mandatory to Implement Features for All OpenID Providers 15.2.<http://openid.net/specs/openid-connect-core-1_0.html#DynamicMTI> Mandatory to Implement Features for Dynamic OpenID Providers -- Mike -----Original Message----- From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Prateek Mishra Sent: Friday, June 13, 2014 9:24 AM To: Bill Burke; Phil Hunt Cc: oauth@ietf.org Subject: Re: [OAUTH-WG] Question regarding draft-hunt-oauth-v2-user-a4c Excellent, now you have put your finger on the precise issue with OIDC - lots of optional extensions and shiny trinkets and lack of a clear definition of a core subset for servers. I realize its exciting for consultants, software and toolkit vendors to have that sort of optionality, but in practice, its NOT A GOOD THING in a protocol. [quote] > >> It is a bit like saying an 18 wheeler is suitable for driving the >> kids to school. :-) > > I don't think this is true. Most oidc oauth extensions are optional > with the sole requirement that providers don't barf if you send them. > [\quote] _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth