[Openid-specs-ab] Issue #1345: Relying Party Instances and metadata in SIOP (openid/connect)

David Waite issues-reply at bitbucket.org
Thu Sep 30 16:56:13 UTC 2021

New issue 1345: Relying Party Instances and metadata in SIOP

David Waite:

On the Connect/SIOP call today, the a good portion of discussion was centered on public \(non-confidential\) clients which were native apps or client-side web applications, which have similar limitations to SIOP:

1. Limitations on HTTP methods \(e.g. native apps cannot receive form posts with POST, PWA form post with POST will send data to hosted infrastructure\)
2. Lack of back-end API endpoints \(can still have shared back-end infrastructure between one or more RPs, but not per-instance\)
3. Inability to securely share secrets for e.g. signed requests
4. Reduced capacity to prevent malicious client impersonation

This appeared to be brought to a head by additional restriction on the “registration” parameter and other registration data to be authoritative for the RP. For example, one party indicated they were using the registration parameter to supply consistent public keys and were using that, rather than the client\_id, to distinguish and secure individual RP “instances”. This also has been exasperated by the use of OpenID Federation’s automatic client registration, which requires a client public key to be known for signed communication.

This issue is meant to collect discussion topics on normative spec behavior around metadata. Separate issue\(s\) should be used for discussion of endpoints for large request/response messages and for cross-device communication.

More information about the Openid-specs-ab mailing list