[Openid-specs-ab] Claimed user identifiers

John Bradley ve7jtb at ve7jtb.com
Mon Apr 11 22:25:37 UTC 2011 

So we are agreed that the user ID is a composite of two values, the Issuer and a local_ID?

John 

On 2011-04-11, at 5:51 PM, Breno de Medeiros wrote:

> On Mon, Apr 11, 2011 at 14:43, John Bradley <ve7jtb at ve7jtb.com> wrote:
>> Looking at breno's doc.
>> 
>> The claimed user identifier or canonical id seems to be a string.
>> 
>> The string is a local identifier for the user in the scope of the IdP.
>> 
>> That is what Facebook Login and the Connect proposal have.
>> 
>> If that is what we are going forward with what is the identifier for the IdP that the RP uses to scope the ID.
> 
> The technical answer is that the RP should use the 'issuer' element in
> the id_token. The id_token asserts a user id in the scope of an issuer
> and makes that assertion valid only for the intended audience (i.e.,
> RP).
> 
> Of course, that begs the question as how the RP validates the issuer element.
> 
> I think this issue should be resolved in the context of the
> discovery/automatic registration profiles. Without these, client_id
> and issuer are based on explicit relationships, so the question is
> mute.
> 
>> 
>> We don't really want to use a endpoint URI,  because that prevents that URI from being changed in the future.
>> 
>> If we use the domain name that may prevent people from running multiple IdP on the same host. (probably the better of the two options)
>> 
>> With facebook login the scope is all Facebook, so that wasn't a problem.
>> 
>> Do we need to establish a IdP identifier at registration time as a possible third option.
>> 
>> The other thing that was discussed was to return a URI as the identifier,  however that would require some sort of pattern match on the host or a extra discovery step.
>> 
>> I suspect that using the host name from the user-info endpoint as the scope of the identifier may be the simplest.  Though the RP needs to keep it as a two part identifier.
>> 
>> Thoughts.
>> 
>> John B.
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
> 
> 
> 
> -- 
> --Breno

More information about the Openid-specs-ab mailing list