[Openid-specs-ab] well-known location for sector_identifier_uri

Mike Schwartz mike at gluu.org
Wed Mar 16 01:58:44 UTC 2016


Interesting point...

- Mike



On 2016-03-15 20:05, Manger, James wrote:
>>>> Pairwise ids are per domain.
> 
>> I disagree with the above statement.... unless I am reading this 
>> wrong:
> 
> You are not reading enough of it, Mike.
> 
>> http://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation
> 
>> "The sector identifier list provides a way for a group of Web sites 
>> under single administrative control to have consistent pairwise sub 
>> values, independent of their domain names"
> 
>> http://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
> 
>> Providers that use pairwise sub values and support Dynamic Client 
>> Registration [OpenID.Registration] SHOULD use the 
>> sector_identifier_uri parameter. It provides a way for a group of 
>> websites under common administrative control to have consistent 
>> pairwise sub values independent of the individual domain names.
> 
> Core is very clear when it goes on to say:
> “If the Client has not provided a value for sector_identifier_uri …,
> the Sector Identifier used for pairwise identifier calculation is the
> host component of the registered redirect_uri.”
> “When a sector_identifier_uri is provided, the host component of that
> URL is used as the Sector Identifier for the pairwise identifier
> calculation.”
> 
> The 3 example methods all use the field sector_identifier or the term
> "Sector Identifier" — not sector_identifier_uri — in calculating a
> pairwise id.
> 
> 
> I suspect there will be many apps that don't initially specify a
> sector_identifier_uri (so the host part of its redirect_uri is used).
> Only later (when there are other versions of the app or related apps
> or a domain change) will a sector_identifier_uri be added. At that
> point you need to keep the same ids. That can work by choosing a
> sector_identifier_uri on the same domain as the initial redirect_uri —
> but only when the host portion (not the path) is used to calculate
> ids.
> 
> --
> James Manger
> 
> 
> 
> 
> On 2016-03-14 22:18, Manger, James wrote:
>> Mike,
>> 
>> Apps need to register sector_identfier_uris from distinct domains if
>> they want distinct pairwise ids as "the host component of that URL is
>> used as the Sector Identifier for the pairwise identifier calculation"
>> [OIDC core §8.1]. The apps can have redirect_uris hosted on the same
>> site (eg https://example.com/app1/, https://example.com/app2/), but
>> their sector_identfier_uris need to point to different sites (eg
>> https://app1.example.com, https://app2.example.com) to get different
>> ids.
>> 
>> Pairwise ids are per domain. Registering a sector_identifier_uri just
>> allows an app to get ids associated with a domain that is different
>> from the domain in the app's redirect_uri.
>> 
>> --
>> James Manger
>> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-- 
-------------------------------------
Michael Schwartz
Gluu
Founder / CEO
mike at gluu.org


More information about the Openid-specs-ab mailing list