[Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)
Axel.Nennker at telekom.de
Axel.Nennker at telekom.de
Wed May 24 08:06:10 UTC 2017
Hi all,
I created https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text to keep track of this.
In pseudo code the calculation of sub could look like this:
// Client is authenticated at this point
If (client.sector_identifier) then
// if we have a registered client identifier then use it
sub = SHA-256 ( client.sector_identifier || local_account_id || salt );
else
//need to determine sector_identifier to use as non is registered for this Client
If (request_object && client.jwks_uri) then
// request object signature is valid and key from client.jwks_uri was used to sign it
sub = SHA-256 ( client.jwks_uri || local_account_id || salt );
else
// no registered sector_identifier, no request_object
if (client.notification_uri) then
// not polling but notification mode
sub = SHA-256 ( client.notification_uri || local_account_id || salt );
else
// polling mode but not sector_identifier registered
response.setError("invalid_request");
logError("invalid_request", "no sector identifier for %s", client.id);
return;
endif
endif
endif
// have sub that is a pairwise identifier here
Having said all that I currently tend to change the spec to say:
"In CIBA the Client MUST specify the sector_identifier_uri at registration time if the OP uses Pairwise Identifiers which is strongly recommended".
Should we make sector_identifier_uri mandatory for CIBA and cull all other Pairwise Identifier text?
Cheers
Axel
Pairwise Identifier Algorithm
https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
"sector_identifier_uri" Validation
https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation
-----Original Message-----
From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Axel Nennker
Sent: Dienstag, 23. Mai 2017 15:33
To: openid-specs-mobile-profile at lists.openid.net
Subject: [Openid-specs-mobile-profile] Issue #52: CIBA Pairwise Identifiers Structuring Text (openid/mobile)
New issue 52: CIBA Pairwise Identifiers Structuring Text https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text
Axel Nennker:
Should the text regarding Pairwise Identifiers be in its own section or should it stay in the sections on polling and notification?
Polling: https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.1.1
Notification: https://xml2rfc.tools.ietf.org/cgi-bin/xml2rfc.cgi?Submit=Submit&format=ascii&mode=html&type=ascii&url=https://bitbucket.org/openid/mobile/raw/tip/draft-mobile-client-initiated-backchannel-authentication.xml?at=default#rfc.section.3.5.3.3
References to other specs:
Core: https://openid.net/specs/openid-connect-core-1_0.html#PairwiseAlg
Validation of sector_identifier: https://openid.net/specs/openid-connect-registration-1_0.html#SectorIdentifierValidation
Axel
Responsible: ignisvulpis
_______________________________________________
Openid-specs-mobile-profile mailing list Openid-specs-mobile-profile at lists.openid.net<mailto:Openid-specs-mobile-profile at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-mobile-profile
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170524/6abb465c/attachment.html>
More information about the Openid-specs-mobile-profile
mailing list