[Openid-specs-ab] IdP initiated login/ unsolicited positive assertion.
John Bradley
ve7jtb at ve7jtb.com
Sun Sep 4 20:45:55 UTC 2011
Yes Microsoft did make use of unsolicited positive assertions for their prototype openID selector.
A possible simple way around it would be for the RP to have an endpoint where a intelligent agent could make a request to start a session, that would allow the RP to provide it's client id for the IdP, state and nonce.
Without those a intelligent agent, won't be able to make a OAuth request.
With per IdP client ID and secrets it is a challenge. You really want global RP identifiers and asymmetric signatures to make a intelligent agent work reliably.
John
On 2011-09-02, at 2:57 PM, <Axel.Nennker at telekom.de> <Axel.Nennker at telekom.de> wrote:
> This might be usefull for an active client.
> The ISA initiates the flow and sends the unsolicited positive assertion to the OC.
>
> What does OpenID Connect have to support intelligent agents?
>
> -Axel
>
>> -----Original Message-----
>> From: openid-specs-ab-bounces at lists.openid.net
>> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf
>> Of John Bradley
>> Sent: Thursday, September 01, 2011 11:59 PM
>> To: openid-specs-ab at lists.openid.net
>> Subject: [Openid-specs-ab] IdP initiated login/ unsolicited
>> positive assertion.
>>
>> One issue to think about is that with all of our XSRF
>> protections we no longer have a way to do IdP initiated login.
>>
>> It was a feature of openID 2.0 that was almost never used. I
>> know that it is used more in SAML SSO.
>>
>> We could add back the ability to do it by adding a claim to
>> the id_token if the authorization server is initiating the
>> login, that way the RP would know that the nonce is IdP generated.
>>
>> I don't know that the additional complexity and security
>> issues are worth it.
>>
>> I thought I would mention it, in case someone cares deeply about it.
>>
>> John B.
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110904/a04b5257/attachment.p7s>
More information about the Openid-specs-ab
mailing list