[Openid-specs-ab] Issue #1292: SIOP and Subject Resolving Identifiers (openid/connect)
David Waite
issues-reply at bitbucket.org
Mon Aug 16 22:59:22 UTC 2021
New issue 1292: SIOP and Subject Resolving Identifiers
https://bitbucket.org/openid/connect/issues/1292/siop-and-subject-resolving-identifiers
David Waite:
I propose a simplification of SIOP and DID usage, where the subject \(`sub`\) is either a JWK thumbprint or a URI which is considered a "subject resolving identifiers".
An “subject resolving identifier” uses a trusted process, to authoritatively resolve associated key material \\\(JWKS\\\) for a subject based on a given URI and scheme.
This definition is purposely meant to create a resolution process which is abstract to DID-based resolution as well as other potential schemes like WebFinger and SOLID.
If this resolution process is defined as an API, one would expect it to look similar to:
\`\`\`swift
func requestSubjectKeys\(
subject: URI\) -> \(jwks: JSON\)
\`\`\`
Specifically:
1. The key material needs to be defined as a JWKS to support signing the id\_token, which is a JOSE-based construct needing algorithms defined according to JWA.
2. Because data is not given in a way where authority and integrity can be independently confirmed, this is necessarily a trusted process/component.
The metadata for an RP or OP would be expected to include information on resolvable identifier schemes supported. The resolution schemes SHOULD have a prefix of the URI method, but may have further distinguishing data \\\(such as a DID method, as these each require different resolution implementations\\\).
More information about the Openid-specs-ab
mailing list