[Openid-specs-ab] WGLC for the Migration spec. towards the implementer's draft

Richer, Justin P. jricher at mitre.org
Mon Jul 28 12:56:33 UTC 2014


I'm not seeing the purpose in returning the JWK set from the OpenID 2 identifier URI, especially if the client is supposed to be doing regular OIDC to validate the ID Token anyway (and will therefore fetch the issuer's jwks_uri). Can you please explain to me what this step is supposed to be accomplishing?

Is the idea that the client would be able to verify that the claimed OpenID 2 identifier actually points to the given issuer, basically completing the round-trip verification? If that's the case, then wouldn't it make more sense to return the OpenID Connect issuer from the OpenID 2 discovery steps? Then from the issuer you can determine the key, just like normal. This would allow for a forward-looking discovery launching point ("all I have is this OpenID 2.0 URI, what's the OpenID Connect process to start here?") well as a backward-looking verification for the claim.

 -- Justin

On Jul 27, 2014, at 9:35 AM, Nat Sakimura <sakimura at gmail.com<mailto:sakimura at gmail.com>> wrote:

Actually, the OpenID 2.0 Identifier URL returns JWK Set. It should probably be more explicit than to say  application/jwk-set+json.

Good point about reutrning jwk_uri instead of the JWK Set.
The downside is that you have to make two calls, but it is only once per RP/OpenID 2.0 Identifier pair, so it probably is OK.

What do others think?

Nat


2014-07-26 11:52 GMT-04:00 Torsten Lodderstedt <torsten at lodderstedt.net<mailto:torsten at lodderstedt.net>>:
Hi Nat,

I just read the spec (for the first time) and think the concept is generally sound. I'm wondering a bit about the way the client obtains the OP's public key. The GET request on the OpenID 2.0 Identifier URL directly returns the JWK. I would suggest to just return the jwk_uri, in the same way openid connect discovery does it. This way this GET request is static (even with key rotation in place) and the OP can reuse the existing functionality to publish its public keys (including support for multiple keys in case of rotation).

What do you think?

kind regards,
Torsten.

Am 26.07.2014 07:44, schrieb Nat Sakimura:
Thanks to Edmund Jay, the examples are now fixed.
This is to initiate the WG Last Call.
Please review the document and file issues if there are within a week.
Once all the issues are resolved, we will go to the implementer's draft public review period for 45 days.

Nat

--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en



_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab





--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140728/67efac7c/attachment.html>


More information about the Openid-specs-ab mailing list