[Openid-specs-ab] Processing sector_identifier_uri values

John Bradley ve7jtb at ve7jtb.com
Thu Oct 31 17:31:22 UTC 2013


You just need to validate the URI being added as a redirect_uri is covered by by the uri in the JSON file.   I would not expect that file to be consulted for changes between registrations.

If a URI is removed from the file and a client performs a registration update action and no longer has one of it's registered redirect_uri in the file that is currently unspecified.  

I suppose the AS could just remove the redirect_uri or throw a error similar to trying to add a redirect_uri that is not covered.

Given that we don't currently have a way to update client registrations this would be outside the spec.

The file allows a client to maintain PPID across client_id changes or multiple clients, checking it should only happen in registration that is why it is not in the core spec.


 
On Oct 29, 2013, at 9:59 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:

> In his review of Registration, George wrote the following about http://openid.net/specs/openid-connect-registration-1_0-20.html#SectorIdentifierValidation:
> It seems like there is some pretty complicated OP logic required to process the sector_identifier_uri.
> Given that the the list of allowed redirect_uris in the JSON file can change at any time! the OP would
> need to pull the file and verify that the current client redirect_uri is still present in the list. That is too much
> over head to do at token issuance. Should we have some guidance that redirect_uris can be added to the
> sector_identifier_uri file but SHOULD NOT be removed. Removing a redirect_uri from the file results in
> undefined behavior? With this guidance the OP can do all the necessary checking at client registration
> time which seems reasonable.
>  
> It’s always been my assumption that the sector_identifier_uri is validated once at registration time and never fetched again.  If people agree, I think we should say that.
>  
>                                                                 -- Mike
>  
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131031/21457fcc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131031/21457fcc/attachment.p7s>


More information about the Openid-specs-ab mailing list