[Openid-specs-ab] Processing sector_identifier_uri values

Mike Jones Michael.Jones at microsoft.com
Thu Nov 28 01:46:49 UTC 2013

I've added this text to my working copy of Registration:

                This MUST be validated at registration time;
                there is no requirement for the OP to retain the contents of this JSON file
                or to retrieve or revalidate its contents in the future.

This follows the text:
                The values registered in <spanx style="verb">redirect_uris</spanx>
                MUST be included in the elements of the array,
                or registration MUST fail.

Let me know if you believe this addresses the issue or if you would like to see different wording.

                                                                -- Mike

From: George Fletcher [mailto:gffletch at aol.com]
Sent: Thursday, October 31, 2013 12:18 PM
To: John Bradley; Mike Jones
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Processing sector_identifier_uri values


I'm fine with this... basically....

1. Only check at client registration. If success, bind sector_identifier_uri to the client_id
2. Mechanisms to update a client registration are outside the scope of the document

i.e. what Mike said:)

On 10/31/13 1:31 PM, John Bradley wrote:
You just need to validate the URI being added as a redirect_uri is covered by by the uri in the JSON file.   I would not expect that file to be consulted for changes between registrations.

If a URI is removed from the file and a client performs a registration update action and no longer has one of it's registered redirect_uri in the file that is currently unspecified.

I suppose the AS could just remove the redirect_uri or throw a error similar to trying to add a redirect_uri that is not covered.

Given that we don't currently have a way to update client registrations this would be outside the spec.

The file allows a client to maintain PPID across client_id changes or multiple clients, checking it should only happen in registration that is why it is not in the core spec.

On Oct 29, 2013, at 9:59 PM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:

In his review of Registration, George wrote the following about http://openid.net/specs/openid-connect-registration-1_0-20.html#SectorIdentifierValidation:
It seems like there is some pretty complicated OP logic required to process the sector_identifier_uri.
Given that the the list of allowed redirect_uris in the JSON file can change at any time! the OP would
need to pull the file and verify that the current client redirect_uri is still present in the list. That is too much
over head to do at token issuance. Should we have some guidance that redirect_uris can be added to the
sector_identifier_uri file but SHOULD NOT be removed. Removing a redirect_uri from the file results in
undefined behavior? With this guidance the OP can do all the necessary checking at client registration
time which seems reasonable.

It's always been my assumption that the sector_identifier_uri is validated once at registration time and never fetched again.  If people agree, I think we should say that.

                                                                -- Mike

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>


Openid-specs-ab mailing list

Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>


[George Fletcher]<http://connect.me/gffletch>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131128/8f228d5b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 78938 bytes
Desc: image001.png
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131128/8f228d5b/attachment-0001.png>

More information about the Openid-specs-ab mailing list