[Openid-specs-ab] Login Initiation endpoint.

Torsten Lodderstedt torsten at lodderstedt.net
Tue Nov 26 09:28:38 UTC 2013


+1

No late minute changes with such a potential negative security impact



Nat Sakimura <sakimura at gmail.com> schrieb:
>+1
>
>I wonder how these SAML implementations are dealing with CSRF. 
>
>=nat via iPhone
>
>Nov 26, 2013 3:03、"Richer, Justin P." <jricher at mitre.org> のメッセージ:
>
>> I really don't like this. It goes against the structure of how OAuth
>works, and there's no way for the RP to put anything into the id token
>(like nonce, state, etc.) to bind to a particular session and prevent a
>stolen id token being used to log in directly by another user. The fact
>that the RP starts the auth conversation is important, and I'm not at
>all comfortable with having this workaround. 
>> 
>> At the very least, this should be proposed as an extension and get
>hammered out separately. (But even then I don't think it has legs.)
>> 
>>  -- Justin
>> 
>> On Nov 25, 2013, at 10:58 AM, John Bradley <ve7jtb at ve7jtb.com>
>>  wrote:
>> 
>>> For Core Section 3 I would like to add the following optional
>parameter to the login initiation endpoint.
>>> 
>>> id_token
>>> OPTIONAL. If the initiator is the iss then it may include an initial
>id_token.  The value of exp SHOULD be set to a small value in the range
>of 5 minutes. 
>>> The id_token must contain a valid aud restricting it to the client
>receiving it.
>>> If the client receives a value for this string-valued parameter, it
>MUST include it in the subsequent authorization request as the
>id_token_hint parameter value.
>>> 
>>> 
>>> I have been getting push back from people looking to convert from
>SAML that Connect forces many more round trips than SAML for doing IdP
>initiated login.  
>>> Sending an initial short lived id_token lets the client do the quick
>customization of the UI that the id_token was intended to enable while
>allowing the client to get access tokens and a new id_token in the
>background using prompt=none.  
>>> 
>>> This also reduces the eventual pressure to add more parameters to
>the endpoint as the AS can tack on additional claims it needs to
>maintain state.
>>> 
>>> I think we did have the id_token as a parameter at wine point then
>changed it to the login_hint when that was added to make it more
>general.
>>> 
>>> I know this is a late addition request.
>>> 
>>> John B.
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Openid-specs-ab mailing list
>Openid-specs-ab at lists.openid.net
>http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131126/5f732a90/attachment.html>


More information about the Openid-specs-ab mailing list