[Openid-specs-ab] Login Initiation endpoint.

Torsten Lodderstedt torsten at lodderstedt.net
Tue Nov 26 09:28:38 UTC 2013


No late minute changes with such a potential negative security impact

Nat Sakimura <sakimura at gmail.com> schrieb:
>I wonder how these SAML implementations are dealing with CSRF. 
>=nat via iPhone
>Nov 26, 2013 3:03、"Richer, Justin P." <jricher at mitre.org> のメッセージ:
>> I really don't like this. It goes against the structure of how OAuth
>works, and there's no way for the RP to put anything into the id token
>(like nonce, state, etc.) to bind to a particular session and prevent a
>stolen id token being used to log in directly by another user. The fact
>that the RP starts the auth conversation is important, and I'm not at
>all comfortable with having this workaround. 
>> At the very least, this should be proposed as an extension and get
>hammered out separately. (But even then I don't think it has legs.)
>>  -- Justin
>> On Nov 25, 2013, at 10:58 AM, John Bradley <ve7jtb at ve7jtb.com>
>>  wrote:
>>> For Core Section 3 I would like to add the following optional
>parameter to the login initiation endpoint.
>>> id_token
>>> OPTIONAL. If the initiator is the iss then it may include an initial
>id_token.  The value of exp SHOULD be set to a small value in the range
>of 5 minutes. 
>>> The id_token must contain a valid aud restricting it to the client
>receiving it.
>>> If the client receives a value for this string-valued parameter, it
>MUST include it in the subsequent authorization request as the
>id_token_hint parameter value.
>>> I have been getting push back from people looking to convert from
>SAML that Connect forces many more round trips than SAML for doing IdP
>initiated login.  
>>> Sending an initial short lived id_token lets the client do the quick
>customization of the UI that the id_token was intended to enable while
>allowing the client to get access tokens and a new id_token in the
>background using prompt=none.  
>>> This also reduces the eventual pressure to add more parameters to
>the endpoint as the AS can tack on additional claims it needs to
>maintain state.
>>> I think we did have the id_token as a parameter at wine point then
>changed it to the login_hint when that was added to make it more
>>> I know this is a late addition request.
>>> John B.
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>Openid-specs-ab mailing list
>Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131126/5f732a90/attachment.html>

More information about the Openid-specs-ab mailing list