[Openid-specs-ab] well-known location for sector_identifier_uri

Manger, James James.H.Manger at team.telstra.com
Tue Mar 15 03:18:36 UTC 2016


Apps need to register sector_identfier_uris from distinct domains if they want distinct pairwise ids as "the host component of that URL is used as the Sector Identifier for the pairwise identifier calculation" [OIDC core §8.1]. The apps can have redirect_uris hosted on the same site (eg https://example.com/app1/, https://example.com/app2/), but their sector_identfier_uris need to point to different sites (eg https://app1.example.com, https://app2.example.com) to get different ids.

Pairwise ids are per domain. Registering a sector_identifier_uri just allows an app to get ids associated with a domain that is different from the domain in the app's redirect_uri.

James Manger

-----Original Message-----
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Mike Schwartz
Sent: Tuesday, 15 March 2016 3:30 AM
To: openid-specs-ab at lists.openid.net
Cc: openid-specs-ab-request at lists.openid.net
Subject: Re: [Openid-specs-ab] well-known location for sector_identifier_uri


In the Gluu Server we just implemented interfaces to make it easier for domain admins to publish sector_identifier_uri's. How could a single sector_identifier_uri work if you have multiple partners which you want to issue distinct pairwise identifiers?

- Mike

Michael Schwartz
Founder / CEO

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net

More information about the Openid-specs-ab mailing list