[Openid-specs-ab] well-known location for sector_identifier_uri

Manger, James James.H.Manger at team.telstra.com
Wed Mar 16 01:05:52 UTC 2016


>>> Pairwise ids are per domain.

>I disagree with the above statement.... unless I am reading this wrong:

You are not reading enough of it, Mike.

>http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation

>"The sector identifier list provides a way for a group of Web sites under single administrative control to have consistent pairwise sub values, independent of their domain names"

>http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg

>Providers that use pairwise sub values and support Dynamic Client Registration [OpenID.Registration] SHOULD use the sector_identifier_uri parameter. It provides a way for a group of websites under common administrative control to have consistent pairwise sub values independent of the individual domain names.

Core is very clear when it goes on to say:
“If the Client has not provided a value for sector_identifier_uri …, the Sector Identifier used for pairwise identifier calculation is the host component of the registered redirect_uri.”
“When a sector_identifier_uri is provided, the host component of that URL is used as the Sector Identifier for the pairwise identifier calculation.”

The 3 example methods all use the field sector_identifier or the term "Sector Identifier" — not sector_identifier_uri — in calculating a pairwise id.


I suspect there will be many apps that don't initially specify a sector_identifier_uri (so the host part of its redirect_uri is used). Only later (when there are other versions of the app or related apps or a domain change) will a sector_identifier_uri be added. At that point you need to keep the same ids. That can work by choosing a sector_identifier_uri on the same domain as the initial redirect_uri — but only when the host portion (not the path) is used to calculate ids.

--
James Manger




On 2016-03-14 22:18, Manger, James wrote:
> Mike,
> 
> Apps need to register sector_identfier_uris from distinct domains if 
> they want distinct pairwise ids as "the host component of that URL is 
> used as the Sector Identifier for the pairwise identifier calculation"
> [OIDC core §8.1]. The apps can have redirect_uris hosted on the same 
> site (eg https://example.com/app1/, https://example.com/app2/), but 
> their sector_identfier_uris need to point to different sites (eg 
> https://app1.example.com, https://app2.example.com) to get different 
> ids.
> 
> Pairwise ids are per domain. Registering a sector_identifier_uri just 
> allows an app to get ids associated with a domain that is different 
> from the domain in the app's redirect_uri.
> 
> --
> James Manger
> 

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list