[Openid-specs-ab] OpenID Connect Federations
John Bradley
ve7jtb at ve7jtb.com
Thu Aug 30 20:49:55 UTC 2012
I thought about signing the discovery response, however a sefsigned JWT is no more trustworthy than plain JSON retrieved over HTTPS.
Where a JOSE signed discovery doc may be useful could be for querying a trusted federation service over something like MDX.
However I would see that as likely sighed by the federation/trust service.
John
On 2012-08-24, at 7:21 AM, Andreas Åkre Solberg <andreas.solberg at uninett.no> wrote:
> Hi,
>
> again, I'm considering the possibility of building Identity Federations with OpenID Connect.
>
> I sketched my idea here:
>
> https://github.com/andreassolberg/documents/blob/master/openidconnect/draft-solberg-connect-federations.md
>
> The idea is basically to define a chain of JSON documents that lists trusted providers with the combination of issuer, jwt, UI info and possibly restrictions.
>
> I've done an attempt to get updated on the latest work on the 1.0 spec. A few comments wrt federations.
>
> I think it important to not rule out the possibility of implicit authorization. It is not obvious in Identity Federations to apply user consent /authorization at all.
> OIC Standard 2.3.4
> http://openid.net/specs/openid-connect-standard-1_0.html#anchor7
>
> Another thing is the discovery protocol. OIC Discovery 3.2 says response MUST be a plain JSON. I believe there will be several use cases for signing the response as a self-signed JWT.
>
> Andreas
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4937 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120830/358d419c/attachment.p7s>
More information about the Openid-specs-ab
mailing list