[Openid-specs-ab] OpenID Connect and Identity Delegation

Mike Jones Michael.Jones at microsoft.com
Fri Mar 29 00:13:23 UTC 2013

"azp" isn't an OAuth construct - it's an OpenID Connect construct that we've defined (although apparently not precisely enough that we have broad agreement on what it means and how it's used).  I think the outcome of this thread should be to clarify the definition so others will understand better what was intended and what wasn't.

My logic is that if it was legitimate to just hand off the token from one client to another without any indication that it's OK to do so, we wouldn't need "azp" at all; we'd just give the token to the other presenter and it would happily use it.  "azp" is there as a declaration that, in this particular case, the handoff was authorized, and that that the party identified in the "azp" claim is a legitimate presenter, even though it was not the requester of the token.  Hence, without "azp", the token is scoped to the requesting client as the sole authorized presenter.

In summary, if handoff to arbitrary parties was OK, we wouldn't need "azp" in the first place.

                                                                -- Mike

From: Nat Sakimura [mailto:sakimura at gmail.com]
Sent: Thursday, March 28, 2013 5:06 PM
To: Mike Jones
Cc: Tim Bray; openid-specs-ab
Subject: Re: [Openid-specs-ab] OpenID Connect and Identity Delegation

Could you point me to the text in OAuth spec describing it?

Also, there are legitimate cases where changing hands happens, which is not leaking.
As long as the original party that has gotten the bearer token is consciously handing it to another client, it should be fine. e.g., sometimes connected client handing it to the server component that has a different client_id.

2013/3/29 Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>
Changing hands doesn't mean that it's authorized.  It just means that the token has been leaked to an unauthorized party.

                                                                -- Mike

From: Nat Sakimura [mailto:sakimura at gmail.com<mailto:sakimura at gmail.com>]
Sent: Thursday, March 28, 2013 4:51 PM
To: Mike Jones
Cc: Tim Bray; openid-specs-ab

Subject: Re: [Openid-specs-ab] OpenID Connect and Identity Delegation

Which is not the case that it may sometime change the hand. The name bearer suggests otherwise as well. Bearer is whoever has it.

>From Oxford Dictionary:

1a person or thing that carries or holds something:
2a person who presents a cheque or other order to pay money:

And here is a description of "bearer bond" from wikipedia:

A bearer bond is a debt security issued by a business entity, such as a corporation, or by a government. It differs from the more common types of investment securities in that it is unregistered - no records are kept of the owner, or the transactions involving ownership. Whoever physically holds the paper on which the bond is issued owns the instrument<http://en.wikipedia.org/wiki/Financial_instrument>. This is useful for investors<http://en.wikipedia.org/wiki/Investor> who wish to retain anonymity. Recovery of the value of a bearer bond in the event of its loss, theft, or destruction is usually impossible.

At the same time, bearer is more privacy preserving in some sense. In a "registered token", i.e., token with the "azp", it is impossible to hide who is presenting it.


Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130329/a51c40a0/attachment-0001.html>

More information about the Openid-specs-ab mailing list