[Openid-specs-ab] Some comments on OpenID 2.0 to OpenID Connect Migration spec

Markus Sabadello markus.sabadello at gmail.com
Wed Aug 27 18:39:52 UTC 2014


I don't understand..
The idea is to find the issuer, given an OpenID 2.0 identifier, right?
Why would Webfinger discovery not fit for that?

Markus



On Mon, Aug 25, 2014 at 4:28 PM, Justin Richer <jricher at mitre.org> wrote:

>  Note that in sections 2 and 6, it's not fetching the issuer URL, but
> rather it's fetching the OpenID 2.0 Identifier URL, which contains the
> issuer. Thus, the webfinger style discovery doesn't really fit here.
>
>  -- Justin
>
>
> On 08/23/2014 08:36 AM, Markus Sabadello wrote:
>
> http://openid.bitbucket.org/openid-connect-migration-1_0.html
>
> --------------
> In section 1.2:
>  "OpenID 2.0 Identifier
> Verified user identifier as specified by OpenID Authentication 2.0."
>
> maybe change to
>
> "OpenID 2.0 Identifier
> Verified *Claimed Identifier* as specified by OpenID Authentication 2.0. "
>
> --------------
>
> In sections 2 and 6, something feels a bit strange about retrieving the
> "iss" simply with a plain GET and Content-Type application/json. I was
> wondering if this shouldn't instead use OIDC Issuer Discovery / Webfinger?
> But of course it would work the way it is written now.
>
> --------------
>
> In section 4:
>
> "For XRI, OpenID 2.0 Identifier MUST be created as https://xri.net/
> concatenated with the user’s verified XRI without the xri:// scheme. "
>
> The problem with this I think is that in OpenID 2.0, for an XRI the
> Claimed Identifier is the pure CanonicalID (I-Number), without https://
> or xri:// scheme. For example, an RP might have *=!91F2.8153.F600.AE24*
> as the Claimed Identifier (openid2_id) for a user in its database.
>  So I think in section 4, we should either not say anything specific at
> all about XRI, or say something like this:
>
> "For XRI, OpenID 2.0 Identifier MUST be the content of the <CanonicalID>
> element, as specified in [OpenID.2.0]"
>
>  Then an example ID Token would be:
>
> {
>  "iss": "?? not sure",
>  "sub": "?? not sure",
>  "aud": "s6BhdRkqt3",
>  "nonce": "n-0S6_WzA2Mj",
>  "exp": 1311281970,
>  "iat": 1311280970,
>  "openid2_id": "*=!91F2.8153.F600.AE24*"
> }
>
> But then I can see that obtaining an "iss" as described in sections 2 and
> 6 won't work.
>
> --------------
>
> I remember Nat+John telling me at one of the previous IIWs how XRI to OIDC
> migration would work, but I don't remember the details.
>
> Would this involve a Self-Issued OIDC Provider?
> Would there be just one OIDC Provider (xri.net), or would there be a way
> to have one OIDC for each registrar (i-broker)?
> What would the "iss" and "sub" values be?
>  --------------
>
>  In section 6:
>
>  Grammar: "A malicious OP may try to impersonate the user by returning
> *an* OpenID 2.0 Identifier that it is not authoritative for."
>
> --------------
>
> In appendix A in the diagram, shouldn't "Resource" be "Relying Party"?
>
> --------------
>
> Markus
>
> On Thu, Aug 21, 2014 at 3:18 AM, Nat Sakimura <sakimura at gmail.com> wrote:
>
>> ping...
>>
>>
>> 2014-08-08 6:42 GMT+09:00 Nat Sakimura <sakimura at gmail.com>:
>>
>>  Thanks a lot.
>>>
>>>  I really appreciate it.
>>>
>>>  Best,
>>>
>>>  Nat
>>>
>>>
>>> 2014-08-08 6:06 GMT+09:00 Markus Sabadello <markus.sabadello at gmail.com>:
>>>
>>>
>>>  Hi Nat, I remember our discussions after last IIW, but haven't looked
>>>> into this much deeper since then.
>>>> I'll read through the migration spec now.
>>>>
>>>> Markus
>>>>
>>>>
>>>>
>>>> On Thu, Aug 7, 2014 at 9:18 PM, Nat Sakimura <sakimura at gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Markus,
>>>>>
>>>>> The migration spec is now in the WG Last Call. I would very much
>>>>> appreciate if you could quickly review it.
>>>>>
>>>>> Here is the announcement I sent out earlier today to the list:
>>>>>
>>>>> OpenID 2.0 to OpenID Connect Migration (aka OID2 to OIDC Migration) is
>>>>> a spec that allows RPs to associate the old OpenID 2.0 identifiers to the
>>>>> new OpenID Connect identifiers without user intervention or extra round
>>>>> trip.
>>>>>
>>>>> The spec has been under development for approximately half a year and
>>>>> has recently gone into WGLC[1].
>>>>>
>>>>> During the WGLC, several comments were gathered and the WG decided to
>>>>> normatively change / simplify the verification rule.
>>>>>
>>>>> In the draft 01, the OpenID 2.0 identifier was returning public key of
>>>>> the issuer but it is now returning the issuer in draft 02. This actually
>>>>> simplifies the verification rule as well as it would make it more flexible.
>>>>>
>>>>> The diffs can be found from here:
>>>>>
>>>>>
>>>>> http://hg.openid.net/connect/commits/0752b8ff5d11602be9dd0ceefd5e61d420ab6703
>>>>>
>>>>>
>>>>> and the HTML version of the document can be found here:
>>>>>
>>>>>     http://openid.bitbucket.org/openid-connect-migration-1_0.html
>>>>>
>>>>>
>>>>> [1] Working Group Last Call
>>>>>
>>>>>
>>>>> Best,
>>>>> --
>>>>> Nat Sakimura (=nat)
>>>>> Chairman, OpenID Foundation
>>>>> http://nat.sakimura.org/
>>>>> @_nat_en
>>>>>
>>>>
>>>>
>>>
>>>
>>>  --
>>> Nat Sakimura (=nat)
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/
>>> @_nat_en
>>>
>>
>>
>>
>>  --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140827/7919f207/attachment.html>


More information about the Openid-specs-ab mailing list