[Openid-specs-ab] OpenID Connect Federations

John Bradley ve7jtb at ve7jtb.com
Thu Aug 30 20:49:55 UTC 2012


I thought about signing the discovery response,  however a sefsigned JWT is no more trustworthy than plain JSON retrieved over HTTPS.

Where a JOSE signed discovery doc may be useful could be for querying a trusted federation service over something like MDX.

However I would see that as likely sighed by the federation/trust service.

John
On 2012-08-24, at 7:21 AM, Andreas Åkre Solberg <andreas.solberg at uninett.no> wrote:

> Hi,
> 
> again, I'm considering the possibility of building Identity Federations with OpenID Connect.
> 
> I sketched my idea here:
> 
> 	https://github.com/andreassolberg/documents/blob/master/openidconnect/draft-solberg-connect-federations.md
> 
> The idea is basically to define a chain of JSON documents that lists trusted providers with the combination of issuer, jwt, UI info and possibly restrictions.
> 
> I've done an attempt to get updated on the latest work on the 1.0 spec. A few comments wrt federations.
> 
> I think it important to not rule out the possibility of implicit authorization. It is not obvious in Identity Federations to apply user consent /authorization at all.
> 	OIC Standard 2.3.4
> 	http://openid.net/specs/openid-connect-standard-1_0.html#anchor7
> 
> Another thing is the discovery protocol. OIC Discovery 3.2 says response MUST be a plain JSON. I believe there will be several use cases for signing the response as a self-signed JWT.
> 
> Andreas
> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120830/358d419c/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list