[Openid-specs-ab] well-known location for sector_identifier_uri
Mike Schwartz
mike at gluu.org
Tue Mar 15 23:57:03 UTC 2016
James,
>>> Pairwise ids are per domain.
I disagree with the above statement.... unless I am reading this wrong:
http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation
"The sector identifier list provides a way for a group of Web sites
under single administrative control to have consistent pairwise sub
values, independent of their domain names"
http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
Providers that use pairwise sub values and support Dynamic Client
Registration [OpenID.Registration] SHOULD use the sector_identifier_uri
parameter. It provides a way for a group of websites under common
administrative control to have consistent pairwise sub values
independent of the individual domain names.
On 2016-03-14 22:18, Manger, James wrote:
> Mike,
>
> Apps need to register sector_identfier_uris from distinct domains if
> they want distinct pairwise ids as "the host component of that URL is
> used as the Sector Identifier for the pairwise identifier calculation"
> [OIDC core §8.1]. The apps can have redirect_uris hosted on the same
> site (eg https://example.com/app1/, https://example.com/app2/), but
> their sector_identfier_uris need to point to different sites (eg
> https://app1.example.com, https://app2.example.com) to get different
> ids.
>
> Pairwise ids are per domain. Registering a sector_identifier_uri just
> allows an app to get ids associated with a domain that is different
> from the domain in the app's redirect_uri.
>
> --
> James Manger
>
More information about the Openid-specs-ab
mailing list