[Openid-specs-ab] Issue #1399: SIOP with any OIDC flow (openid/connect)

[tlodderstedt]

New issue 1399: SIOP with any OIDC flow
https://bitbucket.org/openid/connect/issues/1399/siop-with-any-oidc-flow

Torsten Lodderstedt:

I suggest to evolve SIOP to work with any OIDC flow. The current focus on the implicit flow makes sense for SIOP implementations \(wallets\) running on the user’s phone without server infrastructure. However, there are other architectures for self-issued  SSI applications, for example web wallets. They have been around for some time and are capable of exposing the necessary endpoint for a code flow. Such wallets could benefit from the advanced capabilities of code flow \(or CIBA\) and utilize standard OIDC libraries/products.

What would it mean to enable SIOP for those flows? If we boil down SIOP to its essence, it is a trust model where the user is in control of the key material and asserts claims about itself. From a technical perspective, this means the user is ultimately becoming the issuer of the ID token. Well, that can be done with any other OIDC flow. So I think there is not much to add to the spec than look for the issuer \(or the `i_am_siop` claim\) to decide how to process the ID token. And in case of SIOP the way the key is determined for validating the signature differs from “traditional” OIDC. 

The specifics around SIOP with the implicit flow still hold true but become **an** implementation option out of many others.