[Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text

Manger, James James.H.Manger at team.telstra.com
Fri Jun 9 00:01:56 UTC 2017

> My hope was that by making sector_identifier_uri mandatory we would get rid of all the special cases with jwks_uri and whatnot.
> Isn’t that true?


> So if someuses CIBA then there MUST be a siu at registration time and CIBA does not care how that is validated.
> Making my life too easy?

Wishful thinking, Axel ;)

An OP needs proof that an app is entitled to use a sector_id before revealing the subs associated with that sector_id.
A new app merely quoting a sector_id in its registration is not proof. It shows the app wants that sector_id, but it doesn’t show that the other apps using that sector_id want to share subs with this new app. It doesn’t prevent a malicious app quoting another group’s sector_id.

So the content at a sector_identifier_uri needs to identity each app that is entitled to use that sector_id (host part of siu). It does so by listing a URI that each app needs to control to operate. For “normal” OIDC an app’s redirect_uri is sufficient; for CIBA with notifications an app’s client_notification_endpoint is sufficient; for CIBA with polling and asymmetric signatures an app’s jwks_uri is sufficient; for other cases the tuple {iss, client_id} could work.

Hence CIBA needs to add that, at registration, the OP needs to confirm that siu lists client_notification_endpoint (to enabling notifications) or jwks_uri (to enabling polling with asym sigs).

James Manger

From: John Bradley [mailto:ve7jtb at ve7jtb.com]
Sent: Donnerstag, 8. Juni 2017 18:56
To: Nennker, Axel <Axel.Nennker at telekom.de>
Cc: openid-specs-mobile-profile at lists.openid.net
Subject: Re: [Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text

Validation of the sector identifier is part of registration.

The client registers its client_notification_endpoint as a new element.  (Shouldn't that be an array vs a single URI if the request allows notification_uri to be specified?  otherwise why send it in the request?)

The registration process needs to check those URI against the URI in the JSON file returned from the sector_identifier_uri.

I dont think registration is going to get updated anytime soon so it probably needs to be explained in this spec for those IDP that allow notifiction_uri to be specified.

All AS should always use the sector_identifier_uri as the key for generating ppid. Nothing in that changes.

I think for the polling we need to specify the client JWKS endpoint in the sector_identifier_uri as well.

It is just a URI so that should not be an issue.

If the registered jwks uri is not in the file then don’t allow polling.
I know this precludes the use of symmetric keys but I think that may be a reasonable trade off if someone wants to use this with polling.

John B.

On Jun 8, 2017, at 3:38 AM, <Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>> <Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>> wrote:

Hi all,

can this issue be closed?

The sector_identifier_url is now mandatory to be specified at Client registration time.
Validation of the sector_identifier is out-of-scope for CIBA and should be in Discovery.

Please comment on the issue in bitbucket or here.

Kind regards

T-Labs (Research & Innovation)
Axel Nennker
Winterfeldtstr. 21, 10781 Berlin
+491702275312 (Tel.)
E-Mail: axel.nennker at telekom.de<mailto:axel.nennker at telekom.de>

Openid-specs-mobile-profile mailing list
Openid-specs-mobile-profile at lists.openid.net<mailto:Openid-specs-mobile-profile at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170609/78b4962b/attachment-0001.html>

More information about the Openid-specs-mobile-profile mailing list