[Openid-specs-ab] well-known location for sector_identifier_uri
Manger, James
James.H.Manger at team.telstra.com
Wed Mar 16 01:05:52 UTC 2016
>>> Pairwise ids are per domain.
>I disagree with the above statement.... unless I am reading this wrong:
You are not reading enough of it, Mike.
>http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation
>"The sector identifier list provides a way for a group of Web sites under single administrative control to have consistent pairwise sub values, independent of their domain names"
>http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
>Providers that use pairwise sub values and support Dynamic Client Registration [OpenID.Registration] SHOULD use the sector_identifier_uri parameter. It provides a way for a group of websites under common administrative control to have consistent pairwise sub values independent of the individual domain names.
Core is very clear when it goes on to say:
“If the Client has not provided a value for sector_identifier_uri …, the Sector Identifier used for pairwise identifier calculation is the host component of the registered redirect_uri.”
“When a sector_identifier_uri is provided, the host component of that URL is used as the Sector Identifier for the pairwise identifier calculation.”
The 3 example methods all use the field sector_identifier or the term "Sector Identifier" — not sector_identifier_uri — in calculating a pairwise id.
I suspect there will be many apps that don't initially specify a sector_identifier_uri (so the host part of its redirect_uri is used). Only later (when there are other versions of the app or related apps or a domain change) will a sector_identifier_uri be added. At that point you need to keep the same ids. That can work by choosing a sector_identifier_uri on the same domain as the initial redirect_uri — but only when the host portion (not the path) is used to calculate ids.
--
James Manger
On 2016-03-14 22:18, Manger, James wrote:
> Mike,
>
> Apps need to register sector_identfier_uris from distinct domains if
> they want distinct pairwise ids as "the host component of that URL is
> used as the Sector Identifier for the pairwise identifier calculation"
> [OIDC core §8.1]. The apps can have redirect_uris hosted on the same
> site (eg https://example.com/app1/, https://example.com/app2/), but
> their sector_identfier_uris need to point to different sites (eg
> https://app1.example.com, https://app2.example.com) to get different
> ids.
>
> Pairwise ids are per domain. Registering a sector_identifier_uri just
> allows an app to get ids associated with a domain that is different
> from the domain in the app's redirect_uri.
>
> --
> James Manger
>
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list