[Openid-specs-ab] Some comments on OpenID 2.0 to OpenID Connect Migration spec

Justin Richer jricher at mitre.org
Mon Aug 25 14:28:03 UTC 2014


Note that in sections 2 and 6, it's not fetching the issuer URL, but 
rather it's fetching the OpenID 2.0 Identifier URL, which contains the 
issuer. Thus, the webfinger style discovery doesn't really fit here.

  -- Justin

On 08/23/2014 08:36 AM, Markus Sabadello wrote:
> http://openid.bitbucket.org/openid-connect-migration-1_0.html
>
> --------------
> In section 1.2:
>
> "OpenID 2.0 Identifier
> Verified user identifier as specified by OpenID Authentication 2.0."
>
> maybe change to
>
> "OpenID 2.0 Identifier
> Verified *Claimed Identifier* as specified by OpenID Authentication 2.0. "
>
> --------------
>
> In sections 2 and 6, something feels a bit strange about retrieving 
> the "iss" simply with a plain GET and Content-Type application/json. I 
> was wondering if this shouldn't instead use OIDC Issuer Discovery / 
> Webfinger? But of course it would work the way it is written now.
>
> --------------
>
> In section 4:
>
> "For XRI, OpenID 2.0 Identifier MUST be created as https://xri.net/ 
> concatenated with the user’s verified XRI without the xri:// scheme. "
>
> The problem with this I think is that in OpenID 2.0, for an XRI the 
> Claimed Identifier is the pure CanonicalID (I-Number), without 
> https:// or xri:// scheme. For example, an RP might have 
> *=!91F2.8153.F600.AE24* as the Claimed Identifier (openid2_id) for a 
> user in its database.
>
> So I think in section 4, we should either not say anything specific at 
> all about XRI, or say something like this:
>
> "For XRI, OpenID 2.0 Identifier MUST be the content of the 
> <CanonicalID> element, as specified in [OpenID.2.0]"
>
> Then an example ID Token would be:
> {
>   "iss": "?? not sure",
>   "sub": "?? not sure",
>   "aud": "s6BhdRkqt3",
>   "nonce": "n-0S6_WzA2Mj",
>   "exp": 1311281970,
>   "iat": 1311280970,
>   "openid2_id": "*=!91F2.8153.F600.AE24*"
> }
> But then I can see that obtaining an "iss" as described in sections 2 
> and 6 won't work.
>
> --------------
>
> I remember Nat+John telling me at one of the previous IIWs how XRI to 
> OIDC migration would work, but I don't remember the details.
>
> Would this involve a Self-Issued OIDC Provider?
> Would there be just one OIDC Provider (xri.net <http://xri.net>), or 
> would there be a way to have one OIDC for each registrar (i-broker)?
> What would the "iss" and "sub" values be?
>
> --------------
>
> In section 6:
>
> Grammar: "A malicious OP may try to impersonate the user by returning 
> *an* OpenID 2.0 Identifier that it is not authoritative for."
>
> --------------
>
> In appendix A in the diagram, shouldn't "Resource" be "Relying Party"?
>
> --------------
>
> Markus
>
>
> On Thu, Aug 21, 2014 at 3:18 AM, Nat Sakimura <sakimura at gmail.com 
> <mailto:sakimura at gmail.com>> wrote:
>
>     ping...
>
>
>     2014-08-08 6:42 GMT+09:00 Nat Sakimura <sakimura at gmail.com
>     <mailto:sakimura at gmail.com>>:
>
>         Thanks a lot.
>
>         I really appreciate it.
>
>         Best,
>
>         Nat
>
>
>         2014-08-08 6:06 GMT+09:00 Markus Sabadello
>         <markus.sabadello at gmail.com <mailto:markus.sabadello at gmail.com>>:
>
>             Hi Nat, I remember our discussions after last IIW, but
>             haven't looked into this much deeper since then.
>             I'll read through the migration spec now.
>
>             Markus
>
>
>
>             On Thu, Aug 7, 2014 at 9:18 PM, Nat Sakimura
>             <sakimura at gmail.com <mailto:sakimura at gmail.com>> wrote:
>
>                 Hi Markus,
>
>                 The migration spec is now in the WG Last Call. I would
>                 very much appreciate if you could quickly review it.
>
>                 Here is the announcement I sent out earlier today to
>                 the list:
>
>                 OpenID 2.0 to OpenID Connect Migration (aka OID2 to
>                 OIDC Migration) is a spec that allows RPs to associate
>                 the old OpenID 2.0 identifiers to the new OpenID
>                 Connect identifiers without user intervention or extra
>                 round trip.
>
>                 The spec has been under development for approximately
>                 half a year and has recently gone into WGLC[1].
>
>                 During the WGLC, several comments were gathered and
>                 the WG decided to normatively change / simplify the
>                 verification rule.
>
>                 In the draft 01, the OpenID 2.0 identifier was
>                 returning public key of the issuer but it is now
>                 returning the issuer in draft 02. This actually
>                 simplifies the verification rule as well as it would
>                 make it more flexible.
>
>                 The diffs can be found from here:
>
>                 http://hg.openid.net/connect/commits/0752b8ff5d11602be9dd0ceefd5e61d420ab6703
>
>
>                 and the HTML version of the document can be found here:
>
>                 http://openid.bitbucket.org/openid-connect-migration-1_0.html
>
>
>                 [1] Working Group Last Call
>
>
>                 Best,
>                 --
>                 Nat Sakimura (=nat)
>                 Chairman, OpenID Foundation
>                 http://nat.sakimura.org/
>                 @_nat_en
>
>
>
>
>
>         -- 
>         Nat Sakimura (=nat)
>         Chairman, OpenID Foundation
>         http://nat.sakimura.org/
>         @_nat_en
>
>
>
>
>     -- 
>     Nat Sakimura (=nat)
>     Chairman, OpenID Foundation
>     http://nat.sakimura.org/
>     @_nat_en
>
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140825/a0bec867/attachment.html>


More information about the Openid-specs-ab mailing list