[OpenID] Discovery Endpoint CORS support?

Tue Jun 23 19:10:41 UTC 2015

Microsoft implicit grant and "full" id token sample does a good job of teaching.

Start with https://yorkporc.wordpress.com/2015/06/17/implicit-grant-and-bearer-authentication/

In Microsoft windows vs Microsoft web tooling land, there are very different security models at work, for the same standards. Provisioning a windows account after an opened connect handshake makes tokens (id) into modern Kerberos pacs, whereas bearer id tokens used between js apps in non confidential clients (angular spas) and web endpoints are more webby (without string security model, in common criteria sense).

Btw, tls channel binding work is very different to merely doing handshakes over https. Channel binding tokens (in id token format, now) protect 3tier and https-connect sensitive flows against trust point (and therefore tryst point discovery) manipulation. Think of channel binding tokens as military grade tls... (vs webby stuff, based on commodity PC motherboards, tpm, etc)

Sent from my Windows Phone
________________________________
From: Cal Heldenbrand<mailto:cal at fbsdata.com>
Sent: ‎6/‎23/‎2015 11:29 AM
To: Breno de Medeiros<mailto:breno at google.com>
Cc: openid-general at lists.openid.net<mailto:openid-general at lists.openid.net>
Subject: Re: [OpenID] Discovery Endpoint CORS support?

What is a full ID token?

---------------------------------------------------------------
Cal Heldenbrand
   Web Operations at FBS
   Creators of flexmls <http://flexmls.com>® and Spark Platform
<http://sparkplatform.com>
   cal at fbsdata.com

On Tue, Jun 23, 2015 at 1:18 PM, Breno de Medeiros <breno at google.com> wrote:

> A more important point is that we should have documented the usage of
> 'full' ID tokens that contain profile info.
>
> On Tue, Jun 23, 2015 at 11:10 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>
>> Yes we should have mentioned that in the discovery spec.     That and the
>> JWKS file for the keys.
>>
>> John B.
>>
>> On Jun 23, 2015, at 2:57 PM, Cal Heldenbrand <cal at fbsdata.com> wrote:
>>
>> Hi everyone,
>>
>> I noticed when reading through the OIDC core spec, Section 4
>> <http://openid.net/specs/openid-connect-standard-1_0-21.html#userinfo>
>> has a blurb recommending CORS header support:
>>
>> The UserInfo Endpoint SHOULD support the use of Cross Origin Resource
>>> Sharing (CORS) [CORS] and or other methods as appropriate to enable Java
>>> Script Clients to access the endpoint.
>>
>>
>> But when I look through the Discovery document
>> <https://openid.net/specs/openid-connect-discovery-1_0.html>, there are
>> no mentions of CORS support.  If an OP advertises the implicit flow in the
>> metadata, shouldn't CORS support be a requirement in the specification?
>> Otherwise a js client will choke on an AJAX discovery request, and the
>> whole process is busted unless the developer manually specifies the
>> endpoints.
>>
>> I ran into this when testing the Implicit flow against Google's discovery
>> endpoint, and started down the rabbit hole of reading.  ;-)
>>
>> Thank you!
>>
>> --Cal
>>
>> ---------------------------------------------------------------
>> Cal Heldenbrand
>>    Web Operations at FBS
>>    Creators of flexmls <http://flexmls.com/>® and Spark Platform
>> <http://sparkplatform.com/>
>>    cal at fbsdata.com
>>  _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>>
>>
>
>
> --
> --Breno
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20150623/b6197ff2/attachment.html>
-------------- next part --------------
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general