<html><head><base href="x-msg://1231/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I don't know that it is a good idea for the shared secret for the IdP to be in the browser for validating the HMAC.<div><br></div><div>That validation is probably best done by the RP on the server. If it could do RSA signature validation that would be OK.</div><div><br></div><div>I don't know that the user agent needs to do encryption, it just passes the tokens through in the simple case.</div><div><br></div><div>In the more complicated case it would provide the UI for the claims selection etc.</div><div><br></div><div>I don't know that we want to go down the p-card route where the agent is the IdP for some set of self asserted claims. That would need to support signing and encryption.</div><div><br></div><div>John B.<br><div><div>On 2011-01-18, at 8:23 PM, Anthony Nadalin wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; font-size: medium; "><div lang="EN-US" link="blue" vlink="purple"><div class="WordSection1" style="page: WordSection1; "><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">A user agent may not be a dumb as you think and with JavaScript it can do the HMAC validation<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; ">From:</span></b><span style="font-size: 10pt; font-family: Tahoma, sans-serif; "><span class="Apple-converted-space"> </span><a href="mailto:openid-specs-connect-bounces@lists.openid.net" style="color: blue; text-decoration: underline; ">openid-specs-connect-bounces@lists.openid.net</a><span class="Apple-converted-space"> </span>[mailto:openid-specs-connect-bounces@lists.openid.net]<span class="Apple-converted-space"> </span><b>On Behalf Of<span class="Apple-converted-space"> </span></b>Nat Sakimura<br><b>Sent:</b><span class="Apple-converted-space"> </span>Tuesday, January 18, 2011 8:12 AM<br><b>To:</b><span class="Apple-converted-space"> </span>John Bradley<br><b>Cc:</b><span class="Apple-converted-space"> </span><a href="mailto:openid-specs-ab@lists.openid.net" style="color: blue; text-decoration: underline; ">openid-specs-ab@lists.openid.net</a>; the Connect work group<br><b>Subject:</b><span class="Apple-converted-space"> </span>Re: [Openid-specs-ab] Validation Characteristics of UserInfo Endpoint<o:p></o:p></span></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Right. If you can sign and encrypt for the User-Agent, yes. <o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">The assumption was that since the "user-agent" is dumb enough that it cannot even validate HMAC, it would not be able to do the encryption either. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">For a rich client apps, sign+encrypt is the way to go, I think. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 12pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">=nat<o:p></o:p></p><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Tue, Jan 18, 2011 at 9:09 PM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" style="color: blue; text-decoration: underline; ">ve7jtb@ve7jtb.com</a>> wrote:<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">If you encrypt and sign to the RP the User agent flow would have the same security characteristics as the Web Server flow. This is arguably the most efficient flow as the RP doesn't need to make any direct call to the IdP.<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Both flows allow the RP to rely on SSL rather than the signature to validate the sender.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">I think the RP should select one over the other based on the user agent to avoid sending large assertions through mobile devices, or always use the web server flow if they want LoA 2 but don't want to support encryption.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">I think mobile support argues for making the web server flow the default or MTI flow for RP.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">That way LoA 2 would be the default, from a spec point of view. Nothing stops a RP from just doing a LoA1 User Agent flow, however that may not work well for all user devices.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">John B.<o:p></o:p></div></div><div><div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">On 2011-01-17, at 10:52 PM, Nat Sakimura wrote:<o:p></o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br><o:p></o:p></div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 12pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Thanks Breno for your comment. <o:p></o:p></p><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Tue, Jan 18, 2011 at 4:09 AM, Breno de Medeiros <<a href="mailto:breno@google.com" target="_blank" style="color: blue; text-decoration: underline; ">breno@google.com</a>> wrote:<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">My preference is that the User-Agent and WebServer flows be as similar as possible. It will make easier to change between implementations, and facilitate developer's understanding of the OpenIDConnect flows.<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">As it is written now, the UAB and AB shares exactly the same Core model and abstract protocol. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><blockquote style="border-top-style: none; border-right-style: none; border-bottom-style: none; border-width: initial; border-color: initial; border-left-style: solid; border-left-color: rgb(204, 204, 204); border-left-width: 1pt; padding-top: 0in; padding-right: 0in; padding-bottom: 0in; padding-left: 6pt; margin-left: 4.8pt; margin-right: 0in; "><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Since User-Agent has a more limited operational context in terms of security, I suggest we design an end-to-end solution for it, and then make minimal changes to add support for WebServer flow.<o:p></o:p></div></div></blockquote><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Actually, WebServer flow requires much less security measures than User-Agent flow. If we start from User-Agent flow, it amounts to removing various requirements. For example, in Web Server/Artifact Flow, you do not need to sign the access_token etc. if you just want LoA1 (which is the highest User-Agent flow can go.) <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">=nat<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><blockquote style="border-top-style: none; border-right-style: none; border-bottom-style: none; border-width: initial; border-color: initial; border-left-style: solid; border-left-color: rgb(204, 204, 204); border-left-width: 1pt; padding-top: 0in; padding-right: 0in; padding-bottom: 0in; padding-left: 6pt; margin-left: 4.8pt; margin-right: 0in; "><div><div><div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 12pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></p><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Fri, Jan 14, 2011 at 19:06, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" style="color: blue; text-decoration: underline; ">ve7jtb@ve7jtb.com</a>> wrote:<o:p></o:p></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">An existing graph API Endpoint would need to be modified to return a JWT anyway. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">I think it is cleaner to keep them as separate protected resources. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">We are adding complexity for backwards compatibility with legacy oAuth. Seems ironic. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">John<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>Sent from my iPad<o:p></o:p></div></div><div><div><div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 12pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>On 2011-01-14, at 11:51 PM, Nat <<a href="mailto:sakimura@gmail.com" target="_blank" style="color: blue; text-decoration: underline; ">sakimura@gmail.com</a>> wrote:<o:p></o:p></p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt; "><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">The complication seem to be the fact that some use vases are overloading the UserInfo endpoint. If we want to use an existing graph API for this purpose, it obviously does not work. <br><br>=nat<o:p></o:p></div></div><div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 12pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>On 2011/01/15, at 10:18, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" style="color: blue; text-decoration: underline; ">ve7jtb@ve7jtb.com</a>> wrote:<o:p></o:p></p></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt; "><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Assuming the JWT is signed then a smart client validates the sig and a dumb one sends it to the Sig validation endpoint otherwise known as the user info endpont.<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">The endpoint then only needs to validate the sig on the JWT and hand it back in the simple case.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">John B.<o:p></o:p></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">On 2011-01-14, at 10:14 PM, Nat Sakimura wrote:<o:p></o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br><o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">I agree in sending the entire JWT to the Signature Validation Endpoint. UserInfo Endpoint looks like a kind of such. <o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 12pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">=nat<o:p></o:p></p><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Sat, Jan 15, 2011 at 9:55 AM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" style="color: blue; text-decoration: underline; ">ve7jtb@ve7jtb.com</a>> wrote:<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">I was thinking that the access tokens for the various endpoints would be in the JWT. The JWT would only be the access token for the user info endpoint.<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">John B.<o:p></o:p></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">On 2011-01-14, at 9:51 PM, Nat Sakimura wrote:<o:p></o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br><o:p></o:p></div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 12pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></p><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">On Sat, Jan 15, 2011 at 9:03 AM, John Bradley <<a href="mailto:ve7jtb@ve7jtb.com" target="_blank" style="color: blue; text-decoration: underline; ">ve7jtb@ve7jtb.com</a>> wrote:<o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">I think exchanging code for the access token in the web server flow is equivalent proof for any assertion returned along with the access token in the web server flow.<o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Thanks. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "> <o:p></o:p></div></div><blockquote style="border-top-style: none; border-right-style: none; border-bottom-style: none; border-width: initial; border-color: initial; border-left-style: solid; border-left-color: rgb(204, 204, 204); border-left-width: 1pt; padding-top: 0in; padding-right: 0in; padding-bottom: 0in; padding-left: 6pt; margin-left: 4.8pt; margin-right: 0in; "><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">On your second question, that's why I was asking if the JWT returned in the web server flow could also be the access token. Given that it is a new endpoint there are no backwards compatibility issues. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">It works for the user agent flow as well, as far as I can tell. I was discussing a similar idea with the UMA people for there dumb mode flow.<o:p></o:p></div></div></div></blockquote><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Unless, of course, we return the access tokens for multiple endpoints. We may not want to reveal more information than necessary. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><blockquote style="border-top-style: none; border-right-style: none; border-bottom-style: none; border-width: initial; border-color: initial; border-left-style: solid; border-left-color: rgb(204, 204, 204); border-left-width: 1pt; padding-top: 0in; padding-right: 0in; padding-bottom: 0in; padding-left: 6pt; margin-left: 4.8pt; margin-right: 0in; "><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">John B.<o:p></o:p></div></div><div><div><div><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">On 2011-01-14, at 8:52 PM, Nat Sakimura wrote:<o:p></o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div><blockquote style="margin-top: 5pt; margin-bottom: 5pt; "><div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Hi. <o:p></o:p></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">I have a question about the validation characteristics of the UserInfo Endpoint. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">According to the<span class="Apple-converted-space"> </span><a href="http://openidconnect.com/" target="_blank" style="color: blue; text-decoration: underline; ">openidconnect.com</a><span class="Apple-converted-space"> </span>proposal, the Client is supposed to make a query to the UserInfo Endpoint if it does not wish to validate the signature on the positive assertion that includes the access_token. It sends the user_id and access_token to the UserInfo Endpoint and it gets back asserted_user among other things. If asserted_user is true, then the validation was successful. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">It makes some sense in the User-Agent Flow. In case of the User-Agent Flow, the assertion is returned through the browser/user-agent so it cannot be trusted. It may have been tampered etc. Thus, assuming it is operated by the Authorization Server, sending the query to the UserInfo Endpoint has value. Also, there is an additional value in doing so because the UserInfo Endpoint can validate that it is the same User-Agent that was found at the End User Authorization Endpoint, that the User-Agent has not been swapped. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">However, it does not make much sense in case of the Web Server like flows where 'code' is exchanged to 'access_token' over the direct https Client-Server channel. All the validation characteristics for the UserInfo Endpoint already exists in the Access Token Endpoint. Thus, UserInfo query is redundant as a validation process and becomes an OPTIONAL user attribute query. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Am I missing something? If I am right, then the 'MUST check' language comes in for the validation through the UserInfo Endpoint only in the User-Agent Flow. In fact, the assertion does not even have to be signed by the Server in case of Web Server/Artifact Flow. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">Also, in the current<span class="Apple-converted-space"> </span><a href="http://openidconnect.com/" target="_blank" style="color: blue; text-decoration: underline; ">openidconnect.com</a><span class="Apple-converted-space"> </span>proposal, only the access_token and user_id but not the entire token is sent to the UserInfo Endpoint. It was argued earlier that this was done because UserInfo Endpoint ought to be a regular protected resource. I thought that was a good reason. However, now I consider it as a validation endpoint, I find some value in sending the entire JWT as well. If the JWT was using RSA or EC-DSA as a signature algorithm, then the validation endpoint can be operated by a separate entity than the Server, without assuming any additional characteristics on the access_token. It probably is worth considering. <o:p></o:p></div></div><div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>--<span class="Apple-converted-space"> </span><br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/" target="_blank" style="color: blue; text-decoration: underline; ">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en" target="_blank" style="color: blue; text-decoration: underline; ">http://twitter.com/_nat_en</a><o:p></o:p></div></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: blue; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: blue; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></div></blockquote></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div></blockquote></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br clear="all"><br>--<span class="Apple-converted-space"> </span><br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/" target="_blank" style="color: blue; text-decoration: underline; ">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en" target="_blank" style="color: blue; text-decoration: underline; ">http://twitter.com/_nat_en</a><o:p></o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br clear="all"><br>--<span class="Apple-converted-space"> </span><br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/" target="_blank" style="color: blue; text-decoration: underline; ">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en" target="_blank" style="color: blue; text-decoration: underline; ">http://twitter.com/_nat_en</a><o:p></o:p></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div></blockquote></div></blockquote></div></div></div><p class="MsoNormal" style="margin-top: 0in; margin-right: 0in; margin-bottom: 12pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" style="color: blue; text-decoration: underline; ">Openid-specs-ab@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" style="color: blue; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br clear="all"><br>--<o:p></o:p></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; ">--Breno<o:p></o:p></div></div></blockquote></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br clear="all"><br>--<span class="Apple-converted-space"> </span><br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/" target="_blank" style="color: blue; text-decoration: underline; ">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en" target="_blank" style="color: blue; text-decoration: underline; ">http://twitter.com/_nat_en</a><o:p></o:p></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><o:p> </o:p></div></div></div></div></div></div></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><br clear="all"><br>--<span class="Apple-converted-space"> </span><br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/" style="color: blue; text-decoration: underline; ">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en" style="color: blue; text-decoration: underline; ">http://twitter.com/_nat_en</a><o:p></o:p></div></div></div></div></span></blockquote></div><br></div></body></html>