[Openid-specs-ab] Issue #863: Stateless Registration Discovery/Messages (openid/connect)
Salvatore D'Agostino
sal at idmachines.com
Fri Jul 26 13:23:31 UTC 2013
+1
-----Original Message-----
From: John Bradley [mailto:issues-reply at bitbucket.org]
Sent: Thursday, July 25, 2013 9:41 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Issue #863: Stateless Registration
Discovery/Messages (openid/connect)
New issue 863: Stateless Registration Discovery/Messages
https://bitbucket.org/openid/connect/issue/863/stateless-registration-discovery-messages
John Bradley:
OpenID Connect currently requires registration for clients.
Clients using a self issued IdP may register as part of the authorization
request, by sending the "registration" parameter containing a JSON object, and
using there redirect_uri as the client_id.
There is a desire by some IdP to allow clients that are not pre-registerd to
access a minimal set of claims for a user. This could be done with the
existing method by using the existing "registration" parameter to signal that
the has not pre registered.
Almost everything needed for this is in the current spec.
The needed additions would be an indication in Discovery that the
Authorization server supports this, and something in messages saying that if
the client is not pre-registerd it MUST send the "registration" parameter with
at-least {} as the contents if no other parameters are needed.
The AS would formulate a normal response verifying the client_id and the
redirect_uri match as is specified for the self_issued AS, then issue a normal
code or implicit response.
This would allow a IdP to return the "sub" claim to a client for SSO only
without any real security concerns as the Audience prevents replaying across
clients, and nonce if used (I think should be recommended) prevents replay
across browsers.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6085 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130726/c6426d07/attachment.bin>
More information about the Openid-specs-ab
mailing list