[Openid-specs-ab] Some comments on OpenID 2.0 to OpenID Connect Migration spec

Markus Sabadello markus.sabadello at gmail.com
Sat Aug 23 12:36:27 UTC 2014


http://openid.bitbucket.org/openid-connect-migration-1_0.html

--------------
In section 1.2:
"OpenID 2.0 Identifier
Verified user identifier as specified by OpenID Authentication 2.0."

maybe change to

"OpenID 2.0 Identifier
Verified *Claimed Identifier* as specified by OpenID Authentication 2.0. "

--------------

In sections 2 and 6, something feels a bit strange about retrieving the
"iss" simply with a plain GET and Content-Type application/json. I was
wondering if this shouldn't instead use OIDC Issuer Discovery / Webfinger?
But of course it would work the way it is written now.

--------------

In section 4:

"For XRI, OpenID 2.0 Identifier MUST be created as https://xri.net/
concatenated with the user’s verified XRI without the xri:// scheme. "

The problem with this I think is that in OpenID 2.0, for an XRI the Claimed
Identifier is the pure CanonicalID (I-Number), without https:// or xri://
scheme. For example, an RP might have *=!91F2.8153.F600.AE24* as the
Claimed Identifier (openid2_id) for a user in its database.
So I think in section 4, we should either not say anything specific at all
about XRI, or say something like this:

"For XRI, OpenID 2.0 Identifier MUST be the content of the <CanonicalID>
element, as specified in [OpenID.2.0]"

Then an example ID Token would be:

{
 "iss": "?? not sure",
 "sub": "?? not sure",
 "aud": "s6BhdRkqt3",
 "nonce": "n-0S6_WzA2Mj",
 "exp": 1311281970,
 "iat": 1311280970,
 "openid2_id": "*=!91F2.8153.F600.AE24*"
}

But then I can see that obtaining an "iss" as described in sections 2 and 6
won't work.

--------------

I remember Nat+John telling me at one of the previous IIWs how XRI to OIDC
migration would work, but I don't remember the details.

Would this involve a Self-Issued OIDC Provider?
Would there be just one OIDC Provider (xri.net), or would there be a way to
have one OIDC for each registrar (i-broker)?
What would the "iss" and "sub" values be?
--------------

In section 6:

Grammar: "A malicious OP may try to impersonate the user by returning *an*
OpenID 2.0 Identifier that it is not authoritative for."

--------------

In appendix A in the diagram, shouldn't "Resource" be "Relying Party"?

--------------

Markus

On Thu, Aug 21, 2014 at 3:18 AM, Nat Sakimura <sakimura at gmail.com> wrote:

> ping...
>
>
> 2014-08-08 6:42 GMT+09:00 Nat Sakimura <sakimura at gmail.com>:
>
> Thanks a lot.
>>
>> I really appreciate it.
>>
>> Best,
>>
>> Nat
>>
>>
>> 2014-08-08 6:06 GMT+09:00 Markus Sabadello <markus.sabadello at gmail.com>:
>>
>> Hi Nat, I remember our discussions after last IIW, but haven't looked
>>> into this much deeper since then.
>>> I'll read through the migration spec now.
>>>
>>> Markus
>>>
>>>
>>>
>>> On Thu, Aug 7, 2014 at 9:18 PM, Nat Sakimura <sakimura at gmail.com> wrote:
>>>
>>>> Hi Markus,
>>>>
>>>> The migration spec is now in the WG Last Call. I would very much
>>>> appreciate if you could quickly review it.
>>>>
>>>> Here is the announcement I sent out earlier today to the list:
>>>>
>>>> OpenID 2.0 to OpenID Connect Migration (aka OID2 to OIDC Migration) is
>>>> a spec that allows RPs to associate the old OpenID 2.0 identifiers to the
>>>> new OpenID Connect identifiers without user intervention or extra round
>>>> trip.
>>>>
>>>> The spec has been under development for approximately half a year and
>>>> has recently gone into WGLC[1].
>>>>
>>>> During the WGLC, several comments were gathered and the WG decided to
>>>> normatively change / simplify the verification rule.
>>>>
>>>> In the draft 01, the OpenID 2.0 identifier was returning public key of
>>>> the issuer but it is now returning the issuer in draft 02. This actually
>>>> simplifies the verification rule as well as it would make it more flexible.
>>>>
>>>> The diffs can be found from here:
>>>>
>>>>
>>>> http://hg.openid.net/connect/commits/0752b8ff5d11602be9dd0ceefd5e61d420ab6703
>>>>
>>>>
>>>> and the HTML version of the document can be found here:
>>>>
>>>>     http://openid.bitbucket.org/openid-connect-migration-1_0.html
>>>>
>>>>
>>>> [1] Working Group Last Call
>>>>
>>>>
>>>> Best,
>>>> --
>>>> Nat Sakimura (=nat)
>>>> Chairman, OpenID Foundation
>>>> http://nat.sakimura.org/
>>>> @_nat_en
>>>>
>>>
>>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140823/d1b71794/attachment.html>


More information about the Openid-specs-ab mailing list