[Openid-specs-ab] Processing sector_identifier_uri values

George Fletcher gffletch at aol.com
Thu Oct 31 19:17:35 UTC 2013


I'm fine with this... basically....

1. Only check at client registration. If success, bind 
sector_identifier_uri to the client_id
2. Mechanisms to update a client registration are outside the scope of 
the document

i.e. what Mike said:)


On 10/31/13 1:31 PM, John Bradley wrote:
> You just need to validate the URI being added as a redirect_uri is 
> covered by by the uri in the JSON file.   I would not expect that file 
> to be consulted for changes between registrations.
> If a URI is removed from the file and a client performs a registration 
> update action and no longer has one of it's registered redirect_uri in 
> the file that is currently unspecified.
> I suppose the AS could just remove the redirect_uri or throw a error 
> similar to trying to add a redirect_uri that is not covered.
> Given that we don't currently have a way to update client 
> registrations this would be outside the spec.
> The file allows a client to maintain PPID across client_id changes or 
> multiple clients, checking it should only happen in registration that 
> is why it is not in the core spec.
> On Oct 29, 2013, at 9:59 PM, Mike Jones <Michael.Jones at microsoft.com 
> <mailto:Michael.Jones at microsoft.com>> wrote:
>> In his review of Registration, George wrote the following 
>> abouthttp://openid.net/specs/openid-connect-registration-1_0-20.html#SectorIdentifierValidation:
>> It seems like there is some pretty complicated OP logic required to 
>> process the sector_identifier_uri.
>> Given that the the list of allowed redirect_uris in the JSON file can 
>> change at any time! the OP would
>> need to pull the file and verify that the current client redirect_uri 
>> is still present in the list. That is too much
>> over head to do at token issuance. Should we have some guidance that 
>> redirect_uris can be added to the
>> sector_identifier_uri file but SHOULD NOT be removed. Removing a 
>> redirect_uri from the file results in
>> undefined behavior? With this guidance the OP can do all the 
>> necessary checking at client registration
>> time which seems reasonable.
>> It's always been my assumption that the sector_identifier_uri is 
>> validated once at registration time and never fetched again.  If 
>> people agree, I think we should say that.
>> -- Mike
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net 
>> <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

George Fletcher <http://connect.me/gffletch>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131031/060e8f85/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XeC
Type: image/png
Size: 78938 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131031/060e8f85/attachment-0001.png>

More information about the Openid-specs-ab mailing list