[Openid-specs-ab] Comments on Solberg JWT Federation

Mike Schwartz mike at gluu.org
Thu Aug 2 20:10:13 UTC 2018


First question, how did you get twitter handle @erlang ?

Here are some comments, just prima facie:

1. I like the idea to leverage Webfinger. One of my core concerns about 
he current OIDC federation draft is that it's too static in a day and 
age when we're all using lots of API's. And WebFinger is already used by 
OP's that support dynamic configuration, so why not use it? But one 
question I have is public clients, for example a javascript application 
running in the browser can't host a Webfinger endpoint.

2. Wouldn't it be better for the client to present it's metadata during 
dynamic client registration, rather then requiring the OP to call back 
to the RP's Webfinger URL at authentication time?

3. Are you also proposing the use of OP,RP metadata for signing_keys, 
signing_keys_uri, and signed_jwks_uri ? Another federation challenge is 
that key rotation for the jwks_uri happens frequently if you are 
following guidelines for best practices (every two days).

4. What about metadata for the federation itself? Perhaps the federation 
wants to publish certain guidelines, like what are the SAML attributes 
it recommends its participants to support? For example, InCommon 
recommends use of eduPerson.

5. How would a client register with the federation to get that 
persistent identifier? Or is that out of scope of your proposal?

6. Did you go through the inter-federation use case? Is the data 
duplicated? Or does one federation refer back to the other federation?

- Mike

Michael Schwartz
Founder / CEO
mike at gluu.org

More information about the Openid-specs-ab mailing list