[Openid-specs-ab] Issue #1004: Core 8.1 Pairwise identifier algorithm and native apps (openid/connect)

Stefan Halén issues-reply at bitbucket.org
Mon Sep 12 09:02:57 UTC 2016

New issue 1004: Core 8.1 Pairwise identifier algorithm and native apps

Stefan Halén:

If a native app is registered with a redirect URI scheme that do not have a host component the calculating of the sub will fail. Possible solutions would be to demand a sector_identifier_uri or use the whole URI in the calculation of the sub. If the scheme are of other type than https or http and application_type=nativ.
The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application.

8.1.  Pairwise Identifier Algorithm
If the Client has not provided a value for sector_identifier_uri in Dynamic Client Registration [OpenID.Registration], the Sector Identifier used for pairwise identifier calculation is the host component of the registered redirect_uri. If there are multiple hostnames in the registered redirect_uris, the Client MUST register a sector_identifier_uri.

More information about the Openid-specs-ab mailing list