[Openid-specs-ab] Issue #1217: Require JAR in SIOP to strongly ID the Relying Party (openid/connect)

tomcjones issues-reply at bitbucket.org
Fri Apr 2 03:50:23 UTC 2021

New issue 1217: Require JAR in SIOP to strongly ID the Relying Party

Tom Jones:

I have been implementing a chooser for SIOP. One thing that has struck me is that if a URL AR is allowed there is not real way for the SIOP to know the identity of the client. There is a client ID \(could be made up\) and a redirect which is be best evidence, but i don’t know how to turn that into a value that the user could understand.  Therefore i would like to enforce the use of a signed packet from the client \(relying party\) for all siop operations. I would required that the sig match the key and the the client id be something recognizable, or that we we create/require a new field to identifier the client in terms that the user can understand. \(A JAR is just my suggestion. Other suggestions welcomed.\)

THIS IS A SECURE AND PRIVACY ISSUE which i consider to be pri one.


More information about the Openid-specs-ab mailing list