[Openid-specs-ab] Self-issued "sub" claim value ambiguity
Mike Jones
Michael.Jones at microsoft.com
Wed Jan 23 10:05:14 UTC 2013
FYI, so that the specs aren't ambiguous, I've changed the text "the concatenation of the key values" to "the concatenation of the bytes of the UTF-8 representations of the base64url encoded key values". This could be changed if the working group prefers concatenating the key bytes (which would require base64url decoding the JWK values). People who have implemented self-issued code, please comment!
Thanks,
-- Mike
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Jones
Sent: Tuesday, January 22, 2013 9:07 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Self-issued "sub" claim value ambiguity
Standard 5.5<http://openid.net/specs/openid-connect-standard-1_0.html#self_issued.validation>, list item 5 says:
The Client MUST validate that the sub (subject) value is the base64url encoded SHA-256 hash of the concatenation of the key values in the user_jwk claim. When the alg value is RS256, the key values mod and exp are concatenated in that order. When the alg value is ES256, the key values crv, x and y are concatenated in that order.
This language leaves it ambiguous whether the concatenated key values in Standard 5.5 supposed to be the base64url encoded values or the raw key bytes? Following the precedents in the JOSE specs, I assume that we would concatenate the base64url encoded values. Unless I hear objections, I'll clarify the specs to say that.
Thanks,
-- Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130123/1d9a77e6/attachment.html>
More information about the Openid-specs-ab
mailing list