<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">+1<br>
<br>
I'm fine with this... basically....<br>
<br>
1. Only check at client registration. If success, bind
sector_identifier_uri to the client_id<br>
2. Mechanisms to update a client registration are outside the
scope of the document<br>
<br>
i.e. what Mike said:)<br>
<br>
Thanks,<br>
George<br>
<br>
</font>
<div class="moz-cite-prefix">On 10/31/13 1:31 PM, John Bradley
wrote:<br>
</div>
<blockquote
cite="mid:3415F8AA-C657-4CAF-9252-AA10A19C5CDA@ve7jtb.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
You just need to validate the URI being added as a redirect_uri is
covered by by the uri in the JSON file. I would not expect that
file to be consulted for changes between registrations.
<div><br>
</div>
<div>If a URI is removed from the file and a client performs a
registration update action and no longer has one of it's
registered redirect_uri in the file that is currently
unspecified. </div>
<div><br>
</div>
<div>I suppose the AS could just remove the redirect_uri or throw
a error similar to trying to add a redirect_uri that is not
covered.</div>
<div><br>
</div>
<div>Given that we don't currently have a way to update client
registrations this would be outside the spec.</div>
<div><br>
</div>
<div>The file allows a client to maintain PPID across client_id
changes or multiple clients, checking it should only happen in
registration that is why it is not in the core spec.</div>
<div><br>
</div>
<div><br>
</div>
<div> <br>
<div>
<div>On Oct 29, 2013, at 9:59 PM, Mike Jones <<a
moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div link="blue" vlink="purple" style="font-family:
Helvetica; font-size: 12px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: auto; text-align:
start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px;" lang="EN-US">
<div class="WordSection1" style="page: WordSection1;">
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">In his review of
Registration, George wrote the following about<span
class="Apple-converted-space"> </span><a
moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-registration-1_0-20.html#SectorIdentifierValidation"
style="color: purple; text-decoration: underline;">http://openid.net/specs/openid-connect-registration-1_0-20.html#SectorIdentifierValidation</a>:<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
11pt; font-family: Calibri, sans-serif;"><span
style="font-family: Helvetica, sans-serif;">It seems
like there is some pretty complicated OP logic
required to process the sector_identifier_uri.<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
11pt; font-family: Calibri, sans-serif;"><span
style="font-family: Helvetica, sans-serif;">Given
that the the list of allowed redirect_uris in the
JSON file can change at any time! the OP would<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
11pt; font-family: Calibri, sans-serif;"><span
style="font-family: Helvetica, sans-serif;">need to
pull the file and verify that the current client
redirect_uri is still present in the list. That is
too much<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
11pt; font-family: Calibri, sans-serif;"><span
style="font-family: Helvetica, sans-serif;">over
head to do at token issuance. Should we have some
guidance that redirect_uris can be added to the<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
11pt; font-family: Calibri, sans-serif;"><span
style="font-family: Helvetica, sans-serif;">sector_identifier_uri
file but SHOULD NOT be removed. Removing a
redirect_uri from the file results in<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
11pt; font-family: Calibri, sans-serif;"><span
style="font-family: Helvetica, sans-serif;">undefined
behavior? With this guidance the OP can do all the
necessary checking at client registration<o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt 0.5in; font-size:
11pt; font-family: Calibri, sans-serif;"><span
style="font-family: Helvetica, sans-serif;">time
which seems reasonable.</span><span
style="font-size: 12pt;"><o:p></o:p></span></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">It’s always been my
assumption that the sector_identifier_uri is validated
once at registration time and never fetched again. If
people agree, I think we should say that.<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;">
-- Mike<o:p></o:p></div>
<div style="margin: 0in 0in 0.0001pt; font-size: 11pt;
font-family: Calibri, sans-serif;"><o:p> </o:p></div>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
style="color: purple; text-decoration: underline;">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
style="color: purple; text-decoration: underline;">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
<div class="moz-signature">-- <br>
<a href="http://connect.me/gffletch" title="View full card on
Connect.Me"><img src="cid:part5.09050606.01010909@aol.com"
alt="George Fletcher" height="113" width="359"></a></div>
</body>
</html>