[Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text

John Bradley ve7jtb at ve7jtb.com
Wed Jun 14 19:31:39 UTC 2017

Yes the current Connect discovery spec covers redirect URI validation.
http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation <http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation>

The value of the sector_identifier_uri MUST be a URL using the https scheme that references a JSON file containing an array of redirect_uri values. The values registered in redirect_uris MUST be included in the elements of the array, or registration MUST fail. This MUST be validated at registration time; there is no requirement for the OP to retain the contents of this JSON file or to retrieve or revalidate its contents in the future.

If all of the registered redirect URI are not in the SIU array then the registration MUST fail.

For post back if all of the postback URI are not in the SIU array then registration MUST fail.

What is registration going to check and fail if the client is using CIBA polling and doesn’t control the SIU.

That is why polling is different.  

Checking the JWKS is one way it could work if only asymmetric authentication is allowed.  

That is not ideal I give you that, but what else is there.  Not having anything largely makes any pairwise identifiers pointless.

John B.

> On Jun 14, 2017, at 2:52 AM, <Axel.Nennker at telekom.de> <Axel.Nennker at telekom.de> wrote:
> inline
> From: Manger, James [mailto:James.H.Manger at team.telstra.com <mailto:James.H.Manger at team.telstra.com>] 
> Sent: Mittwoch, 14. Juni 2017 06:29
> To: Nennker, Axel <Axel.Nennker at telekom.de <mailto:Axel.Nennker at telekom.de>>; ve7jtb at ve7jtb.com <mailto:ve7jtb at ve7jtb.com>
> Cc: openid-specs-mobile-profile at lists.openid.net <mailto:openid-specs-mobile-profile at lists.openid.net>
> Subject: RE: [Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text
> Axel,
> > What are the threats if all client metadata is validated at registration time and all CIBA requests are authenticated?
> -          BadClient is not able to register for the same sector_identifier_uri as GoodPollingClient (regardless of CIBA or OIDC) This is nothing bad introduced by CIBA.
> This is your mistake.
> Multiple clients can register the same sector_identifier_uri — that is the whole point of the sector_id concept (grouping multiple apps). The issue is how does the registration system distinguish BadClient from OtherGoodPollingClient when both register the same sector_id?
> I understand that point. That is the whole purpose of sector_identifier_uri.
> The current Discovery spec does not go into details on validation.
> The OIDC spec, too, does not go into detail how the validation is done.
> There is nothing that is CIBA specific about validation.
> --
> James Manger

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170614/82e59a2f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4383 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170614/82e59a2f/attachment.p7s>

More information about the Openid-specs-mobile-profile mailing list