[Openid-specs-ab] Issue #1208: SIOP V2 dynamic iss claim ref: REQUIRED. Issuer. MUST be https://self-issued.me/v2 (openid/connect)

Kristina Yasuda Kristina.Yasuda at microsoft.com
Tue Feb 23 13:02:53 UTC 2021


How would the RP check that it is a true "PWA / cloud wallet provider" and not a malicious provider pretending to be a good one?

________________________________
差出人: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> が Oliver Terbu via Openid-specs-ab <openid-specs-ab at lists.openid.net> の代理で送信
送信日時: 2021年2月23日 21:47
宛先: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
CC: Oliver Terbu <o.terbu at gmail.com>; Adam Lemmon <issues-reply at bitbucket.org>
件名: Re: [Openid-specs-ab] Issue #1208: SIOP V2 dynamic iss claim ref: REQUIRED. Issuer. MUST be https://self-issued.me/v2 (openid/connect)

+1 to expanding the iss field beyond https://self-issued.me<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fself-issued.me%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703813424%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=HrWSFMeul%2BuVzzLSR%2FMpkFViBumtxWX6vF5jmZez92o%3D&reserved=0>. This would allow using id_token as a VP in the future as well although I'm not arguing for that.

On Wed, 17 Feb 2021 at 02:59, Tobias Looker via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
+1 to expanding the iss field beyond https://self-issued.me<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fself-issued.me%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703813424%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=HrWSFMeul%2BuVzzLSR%2FMpkFViBumtxWX6vF5jmZez92o%3D&reserved=0>, at the end of the day there is still a provider acting as the issuer of the id_token in SIOP its just that the provider is operating in a more distributed model (i.e as a PWA or native app on the end-users device) rather than as a centralized HTTP based authorization server. So being able to identify who this provider is, rather than some opaque string that points more to how the provider is operating (e.g https://self-issued.me<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fself-issued.me%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703823373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=%2BuWfR074utACgEQlt2TE0cWXbvC9C582jjA%2BTX%2FXqxc%3D&reserved=0>) is a better all round solution in my opinion. I think this issue also raises the need to review the signing process of id_tokens in SIOP.

Thanks,
[Mattr website]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmattr.global%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703823373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=fMC79mcPwd6kXDMggG9UcWdIHw93qQwv3Hm9MQIQv3U%3D&reserved=0>
Tobias Looker
Mattr
+64 (0) 27 378 0461
tobias.looker at mattr.global<mailto:tobias.looker at mattr.global>
[Mattr website]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmattr.global%2F&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703823373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=fMC79mcPwd6kXDMggG9UcWdIHw93qQwv3Hm9MQIQv3U%3D&reserved=0>  [Mattr on LinkedIn] <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fmattrglobal&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703833330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=l5vvNYOGbphohImijm8dCgyecrwmSGd%2BPplfZDhmdZs%3D&reserved=0>  [Mattr on Twitter] <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fmattrglobal&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703833330%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=EliJ8bEYDqynffx3%2BL8FUQeFVMSRE3PfrMJOmsmWvzg%3D&reserved=0>  [Mattr on Github] <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fmattrglobal&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703843282%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=0IeapO%2BtIoyRlKmKbdkgLkLIpLn9uQj6zESGWQ%2FwOOM%3D&reserved=0>

This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.


On Wed, Feb 17, 2021 at 1:55 PM Adam Lemmon via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:
New issue 1208: SIOP V2 dynamic iss claim ref: REQUIRED. Issuer. MUST be https://self-issued.me/v2<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fself-issued.me%2Fv2&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703843282%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=wBRr5Dg9w5q4kj0zKw1ylp8fNoIUfZJ%2FQfLswZGielA%3D&reserved=0>
https://bitbucket.org/openid/connect/issues/1208/siop-v2-dynamic-iss-claim-ref-required<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2Fopenid%2Fconnect%2Fissues%2F1208%2Fsiop-v2-dynamic-iss-claim-ref-required&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703843282%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=jJm2vT8RDKW2zYSpWfEZO%2B8weYZFHLmBWaQSx4QR7LU%3D&reserved=0>

Adam Lemmon:

Hi all,

We have had some good discussions on this during past calls and I wanted to formally get this down somewhere to kick off a discussion and aim to reach consensus on the use of the `iss` claim in SIOP v2.

We would like to discuss the option of enabling other URIs to be included as the `iss` claim and it not be constrained to s[elf-issued.me/v2.](http://self-issued.me/v2)<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Felf-issued.me%2Fv2.%255D(http%3A%2F%2Fself-issued.me%2Fv2)&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703853240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=%2FjxDnffCVJFGbhiAwX7qJ36lqIzuSSH4Q9nG%2BBipdCo%3D&reserved=0>

For example being able to specify a URL of a PWA / cloud wallet provider as the `iss` , which can prove useful information for an RP that is being presented claims from such.  We’d like a model that does not presume a specific deployment architecture of a wallet but is inclusive; native, PWA, cloud, etc.

Also, we had previously mentioned that the presence of a `sub_jwk` could be the signal to the RP that the token is self signed instead of the `iss` claim being constrained to s[elf-issued.me/v2](http://self-issued.me/v2)<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Felf-issued.me%2Fv2%255D(http%3A%2F%2Fself-issued.me%2Fv2)&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703853240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Z9H9qjxIHcKVWuRtGUXSBy4RWnnk8FF6FJuC%2Fiwrpoo%3D&reserved=0>, as one option to consider.

Look forward to the discussion on this topic, thanks!


_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703853240%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=UaoUrKySRehoN8eDpDH2QCi2U%2B6MPGh4YgSW6DzyhrU%3D&reserved=0>


This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.openid.net%2Fmailman%2Flistinfo%2Fopenid-specs-ab&data=04%7C01%7CKristina.Yasuda%40microsoft.com%7C0e415c32bfff4d84d34408d8d7f932bd%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637496812703863199%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=r2OKzyEb1tl550axWEz%2Bg4f1AMAGcZvTOM3w6lkcwHE%3D&reserved=0>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210223/f9ee4b84/attachment.html>


More information about the Openid-specs-ab mailing list