[Openid-specs-ab] well-known location for sector_identifier_uri

Mike Schwartz mike at gluu.org
Tue Mar 15 23:57:03 UTC 2016


James,

>>> Pairwise ids are per domain.

I disagree with the above statement.... unless I am reading this wrong:

http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation

"The sector identifier list provides a way for a group of Web sites 
under single administrative control to have consistent pairwise sub 
values, independent of their domain names"


http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg

Providers that use pairwise sub values and support Dynamic Client 
Registration [OpenID.Registration] SHOULD use the sector_identifier_uri 
parameter. It provides a way for a group of websites under common 
administrative control to have consistent pairwise sub values 
independent of the individual domain names.


On 2016-03-14 22:18, Manger, James wrote:
> Mike,
> 
> Apps need to register sector_identfier_uris from distinct domains if
> they want distinct pairwise ids as "the host component of that URL is
> used as the Sector Identifier for the pairwise identifier calculation"
> [OIDC core §8.1]. The apps can have redirect_uris hosted on the same
> site (eg https://example.com/app1/, https://example.com/app2/), but
> their sector_identfier_uris need to point to different sites (eg
> https://app1.example.com, https://app2.example.com) to get different
> ids.
> 
> Pairwise ids are per domain. Registering a sector_identifier_uri just
> allows an app to get ids associated with a domain that is different
> from the domain in the app's redirect_uri.
> 
> --
> James Manger
> 



More information about the Openid-specs-ab mailing list