[Openid-specs-ab] Question about secret_type: JWT
sakimura
sakimura at gmail.com
Mon Aug 29 01:49:38 UTC 2011
Just a little bit of history behind it.
The Section 3.1.5 of the REDIRECT had JSS (http://jsonenc.info/jss/1.0/
)
instead of JWT before. JSS has only one way and a MUST field called
certs_uri. Since it is a PEM encoded X.509 certs, it does have iss etc.
encoded into it.
When we replaced JWS with JWT we lost this property.
Therefore, we had to specify them but we have not yet done.
The question then is: do we want to define how to validate iss etc. as
well?
OR shall we just rely on X.509 PKI?
=nat
On Wed, 24 Aug 2011 06:56:23 +0200, Andreas Åkre Solberg wrote:
> REDIRECT-05 Section 3.1.5 mentions the secret_type JWT:
>
>> If the secret_type is "basic", send the pre-shared secret. If the
>> secret_type is "JWT", send the compact serialization of the JWT [1]
>> [JWT] Signature over the 'code'.
>
> Is this method described somewhere in more details?
>
> It says JWT signature, but there is no JSON input? Does it mean JWS
> signature over the code string?
>
> Getting the consumer to sign something that the Provider presents,
> may be risky. May be not if a shared key is used, but if the consumer
> have a key-pair that it uses against multiple services. I'm thinking
> that the Provider can get a consumer to sign a code that the provider
> has received from a different provider; being able to impersonate the
> user.
>
> Andreas
>
> Links:
> ------
> [1]
>
> http://www.gosoudan.com/file:///Users/andreas/Library/Application%20Support/Evernote/data/101370/content/p3310/#JWT
More information about the Openid-specs-ab
mailing list