[Openid-specs-ab] Comments on Solberg JWT Federation

Nick Roy nroy at internet2.edu
Thu Aug 2 20:33:41 UTC 2018


On 8/2/18 2:10 PM, Mike Schwartz via Openid-specs-ab wrote:
> Andreas,
> 
> First question, how did you get twitter handle @erlang ?
> 
> Here are some comments, just prima facie:
> 
> 1. I like the idea to leverage Webfinger. One of my core concerns about 
> he current OIDC federation draft is that it's too static in a day and 
> age when we're all using lots of API's. And WebFinger is already used by 
> OP's that support dynamic configuration, so why not use it? But one 
> question I have is public clients, for example a javascript application 
> running in the browser can't host a Webfinger endpoint.
> 
> 2. Wouldn't it be better for the client to present it's metadata during 
> dynamic client registration, rather then requiring the OP to call back 
> to the RP's Webfinger URL at authentication time?
> 
> 3. Are you also proposing the use of OP,RP metadata for signing_keys, 
> signing_keys_uri, and signed_jwks_uri ? Another federation challenge is 
> that key rotation for the jwks_uri happens frequently if you are 
> following guidelines for best practices (every two days).
> 
> 4. What about metadata for the federation itself? Perhaps the federation 
> wants to publish certain guidelines, like what are the SAML attributes 
> it recommends its participants to support? For example, InCommon 
> recommends use of eduPerson.

Wouldn't that be handled by scopes in the metadata statement for the OP,RP?

Nick

> 
> 5. How would a client register with the federation to get that 
> persistent identifier? Or is that out of scope of your proposal?
> 
> 6. Did you go through the inter-federation use case? Is the data 
> duplicated? Or does one federation refer back to the other federation?
> 
> - Mike
> 
> 
> ------------------------
> Michael Schwartz
> Gluu
> Founder / CEO
> mike at gluu.org
> https://www.linkedin.com/in/nynymike/
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 


More information about the Openid-specs-ab mailing list