[Openid-specs-ab] IdP initiated login/ unsolicited positive assertion.

Wed Sep 7 22:41:56 UTC 2011

Yes,

The question is if we need some mechanism like unsolicited assertions in Connect.

At the moment XSRF protection by the RP is going to stop it from working.

The prototype selector was just an example of things that used it.  I suspect that Allen's example is the more important one.

John
On 2011-09-07, at 6:05 PM, Anthony Nadalin wrote:

> Please note that the prototype selector was just that and has not gone further
> 
> -----Original Message-----
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Breno de Medeiros
> Sent: Tuesday, September 06, 2011 10:25 AM
> To: John Bradley
> Cc: openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] IdP initiated login/ unsolicited positive assertion.
> 
> On Sun, Sep 4, 2011 at 13:45, John Bradley <ve7jtb at ve7jtb.com> wrote:
>> Yes Microsoft did make use of unsolicited positive assertions for their prototype openID selector.
>> 
>> A possible simple way around it would be for the RP to have an endpoint where a intelligent agent could make a request to start a session,  that would allow the RP to provide it's client id for the IdP,  state and nonce.
>> Without those a intelligent agent, won't be able to make a OAuth request.
> 
> I think an endpoint for the RP to start the request is a better approach than unsolicited assertions. It is more likely to be maintainable. Consider for instance, that RPs may want to request different attribute sets and that may evolve over time.
> 
>> 
>> With per IdP client ID and secrets it is a challenge.   You really want global RP identifiers and asymmetric signatures to make a intelligent agent work reliably.
>> 
>> John
>> 
>> On 2011-09-02, at 2:57 PM, <Axel.Nennker at telekom.de> <Axel.Nennker at telekom.de> wrote:
>> 
>>> This might be usefull for an active client.
>>> The ISA initiates the flow and sends the unsolicited positive assertion to the OC.
>>> 
>>> What does OpenID Connect have to support intelligent agents?
>>> 
>>> -Axel
>>> 
>>>> -----Original Message-----
>>>> From: openid-specs-ab-bounces at lists.openid.net
>>>> [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John 
>>>> Bradley
>>>> Sent: Thursday, September 01, 2011 11:59 PM
>>>> To: openid-specs-ab at lists.openid.net
>>>> Subject: [Openid-specs-ab] IdP initiated login/ unsolicited positive 
>>>> assertion.
>>>> 
>>>> One issue to think about is that with all of our XSRF protections we 
>>>> no longer have a way to do IdP initiated login.
>>>> 
>>>> It was a feature of openID 2.0 that was almost never used.  I know 
>>>> that it is used more in SAML SSO.
>>>> 
>>>> We could add back the ability to do it by adding a claim to the 
>>>> id_token if the authorization server is initiating the login, that 
>>>> way the RP would know that the nonce is IdP generated.
>>>> 
>>>> I don't know that the additional complexity and security issues are 
>>>> worth it.
>>>> 
>>>> I thought I would mention it, in case someone cares deeply about it.
>>>> 
>>>> John B.
>>>> 
>> 
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
>> 
> 
> 
> 
> --
> --Breno
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110907/87c07c82/attachment.p7s>