[Openid-specs-ab] Processing sector_identifier_uri values

George Fletcher gffletch at aol.com
Thu Oct 31 15:46:49 UTC 2013

So here is another possible situation...

App 1 registers with sector_identifier_url 
https://example.com/common_aps and that URL contains a single 
redirect_uri for app 1 (app1://my_app). Then App 2 comes along and 
registers the same sector_identifier_uri and because the company decided 
to sunset App 1 removes it from the JSON array and adds in app2://my_app.

Should the OP no longer assign pair-wise psuedonymous identifers based 
on the sector_identifier_uri for App 1 (probably still some people out 
there using it)? Or is the guidance to determine if the registering 
app's redirect_uris are present in the sector_identifier_uri file and if 
so, permanently assign that sector_identifier_uri to the client_id and 
it can't be changed. Though that might be difficult if via the 
registration spec I can update parts of my registration config.

Maybe some guidance around the impacts of changing a 
sector_identifier_uri on users would be worth whille?


On 10/31/13 10:16 AM, Justin Richer wrote:
> How about language that says the sector identifier would be pulled 
> down at registration and heavily cached.
>  -- Justin
> On 10/29/2013 08:59 PM, Mike Jones wrote:
>> In his review of Registration, George wrote the following about 
>> http://openid.net/specs/openid-connect-registration-1_0-20.html#SectorIdentifierValidation:
>> It seems like there is some pretty complicated OP logic required to 
>> process the sector_identifier_uri.
>> Given that the the list of allowed redirect_uris in the JSON file can 
>> change at any time! the OP would
>> need to pull the file and verify that the current client redirect_uri 
>> is still present in the list. That is too much
>> over head to do at token issuance. Should we have some guidance that 
>> redirect_uris can be added to the
>> sector_identifier_uri file but SHOULD NOT be removed. Removing a 
>> redirect_uri from the file results in
>> undefined behavior? With this guidance the OP can do all the 
>> necessary checking at client registration
>> time which seems reasonable.
>> It’s always been my assumption that the sector_identifier_uri is 
>> validated once at registration time and never fetched again.  If 
>> people agree, I think we should say that.
>> -- Mike
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

George Fletcher <http://connect.me/gffletch>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131031/77f3dc51/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XeC
Type: image/png
Size: 80878 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131031/77f3dc51/attachment-0001.png>

More information about the Openid-specs-ab mailing list