[Openid-specs-ab] IdP initiated login/ unsolicited positive assertion.
Breno de Medeiros
breno at google.com
Tue Sep 6 17:24:57 UTC 2011
On Sun, Sep 4, 2011 at 13:45, John Bradley <ve7jtb at ve7jtb.com> wrote:
> Yes Microsoft did make use of unsolicited positive assertions for their prototype openID selector.
>
> A possible simple way around it would be for the RP to have an endpoint where a intelligent agent could make a request to start a session, that would allow the RP to provide it's client id for the IdP, state and nonce.
> Without those a intelligent agent, won't be able to make a OAuth request.
I think an endpoint for the RP to start the request is a better
approach than unsolicited assertions. It is more likely to be
maintainable. Consider for instance, that RPs may want to request
different attribute sets and that may evolve over time.
>
> With per IdP client ID and secrets it is a challenge. You really want global RP identifiers and asymmetric signatures to make a intelligent agent work reliably.
>
> John
>
> On 2011-09-02, at 2:57 PM, <Axel.Nennker at telekom.de> <Axel.Nennker at telekom.de> wrote:
>
>> This might be usefull for an active client.
>> The ISA initiates the flow and sends the unsolicited positive assertion to the OC.
>>
>> What does OpenID Connect have to support intelligent agents?
>>
>> -Axel
>>
>>> -----Original Message-----
>>> From: openid-specs-ab-bounces at lists.openid.net
>>> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf
>>> Of John Bradley
>>> Sent: Thursday, September 01, 2011 11:59 PM
>>> To: openid-specs-ab at lists.openid.net
>>> Subject: [Openid-specs-ab] IdP initiated login/ unsolicited
>>> positive assertion.
>>>
>>> One issue to think about is that with all of our XSRF
>>> protections we no longer have a way to do IdP initiated login.
>>>
>>> It was a feature of openID 2.0 that was almost never used. I
>>> know that it is used more in SAML SSO.
>>>
>>> We could add back the ability to do it by adding a claim to
>>> the id_token if the authorization server is initiating the
>>> login, that way the RP would know that the nonce is IdP generated.
>>>
>>> I don't know that the additional complexity and security
>>> issues are worth it.
>>>
>>> I thought I would mention it, in case someone cares deeply about it.
>>>
>>> John B.
>>>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
--
--Breno
More information about the Openid-specs-ab
mailing list