[Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text

Axel.Nennker at telekom.de Axel.Nennker at telekom.de
Wed Jun 14 19:16:31 UTC 2017

Maybe the point we are talking past each other is that in front channel ONE client_id can have several redirect_uris which lead to different subs when NO sector_identifier_uri is defined while in back channel there are no redirect_uris and there is always a sector_identifier_uri?

So in OIDC (front channel) one legal entity can have one backend server and several mobile apps and in the redirect all apps use the same client_id but different redirect_uris which leads to different subs if no siu is defined and to the same sub if a siu is defined.
Although I wonder why one legal entity might want different subs anyway…

And in OIDC one legal entity which has multiple clients with different client_ids would define a sector_identifier_uri to get the same sub for all clients.
In CIBA the same legal entity with multiple client_ids needs to define a siu to get the same sub or different sius (one for each client_id) if they want different subs.

Although none of this has anything to do with validation of meta-data nor with jwks_uris…


From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Nennker, Axel
Sent: Mittwoch, 14. Juni 2017 09:52
To: James.H.Manger at team.telstra.com; ve7jtb at ve7jtb.com
Cc: openid-specs-mobile-profile at lists.openid.net
Subject: Re: [Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text


From: Manger, James [mailto:James.H.Manger at team.telstra.com]
Sent: Mittwoch, 14. Juni 2017 06:29
To: Nennker, Axel <Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>>; ve7jtb at ve7jtb.com<mailto:ve7jtb at ve7jtb.com>
Cc: openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>
Subject: RE: [Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text


> What are the threats if all client metadata is validated at registration time and all CIBA requests are authenticated?

-          BadClient is not able to register for the same sector_identifier_uri as GoodPollingClient (regardless of CIBA or OIDC) This is nothing bad introduced by CIBA.

This is your mistake.
Multiple clients can register the same sector_identifier_uri — that is the whole point of the sector_id concept (grouping multiple apps). The issue is how does the registration system distinguish BadClient from OtherGoodPollingClient when both register the same sector_id?
I understand that point. That is the whole purpose of sector_identifier_uri.
The current Discovery spec does not go into details on validation.
The OIDC spec, too, does not go into detail how the validation is done.
There is nothing that is CIBA specific about validation.

James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170614/23531723/attachment.html>

More information about the Openid-specs-mobile-profile mailing list