[Openid-specs-ab] Claimed user identifiers

[Breno de Medeiros]

On Mon, Apr 11, 2011 at 14:43, John Bradley <ve7jtb at ve7jtb.com> wrote:
> Looking at breno's doc.
>
> The claimed user identifier or canonical id seems to be a string.
>
> The string is a local identifier for the user in the scope of the IdP.
>
> That is what Facebook Login and the Connect proposal have.
>
> If that is what we are going forward with what is the identifier for the IdP that the RP uses to scope the ID.

The technical answer is that the RP should use the 'issuer' element in
the id_token. The id_token asserts a user id in the scope of an issuer
and makes that assertion valid only for the intended audience (i.e.,
RP).

Of course, that begs the question as how the RP validates the issuer element.

I think this issue should be resolved in the context of the
discovery/automatic registration profiles. Without these, client_id
and issuer are based on explicit relationships, so the question is
mute.

>
> We don't really want to use a endpoint URI,  because that prevents that URI from being changed in the future.
>
> If we use the domain name that may prevent people from running multiple IdP on the same host. (probably the better of the two options)
>
> With facebook login the scope is all Facebook, so that wasn't a problem.
>
> Do we need to establish a IdP identifier at registration time as a possible third option.
>
> The other thing that was discussed was to return a URI as the identifier,  however that would require some sort of pattern match on the host or a extra discovery step.
>
> I suspect that using the host name from the user-info endpoint as the scope of the identifier may be the simplest.  Though the RP needs to keep it as a two part identifier.
>
> Thoughts.
>
> John B.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>



-- 
--Breno