[Openid-specs-mobile-profile] Issue 52 CIBA Pairwise Identifiers Structuring Text
John Bradley
ve7jtb at ve7jtb.com
Wed Jun 14 19:23:05 UTC 2017
Exactly.
In your description noting stops the bad client from registering the good client’s SIU and or redirect_uri.
The client is issued a client secret and uses that to authenticate to the authorization endpoint.
They are a different client but are getting the same PPID generated as the good client without being associated with the good client.
This is a privacy not a security issue.
John B.
> On Jun 13, 2017, at 11:28 PM, Manger, James <James.H.Manger at team.telstra.com> wrote:
>
> Axel,
>
> > What are the threats if all client metadata is validated at registration time and all CIBA requests are authenticated?
> - BadClient is not able to register for the same sector_identifier_uri as GoodPollingClient (regardless of CIBA or OIDC) This is nothing bad introduced by CIBA.
>
> This is your mistake.
> Multiple clients can register the same sector_identifier_uri — that is the whole point of the sector_id concept (grouping multiple apps). The issue is how does the registration system distinguish BadClient from OtherGoodPollingClient when both register the same sector_id?
>
> --
> James Manger
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170614/b078d3e1/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4383 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20170614/b078d3e1/attachment-0001.p7s>
More information about the Openid-specs-mobile-profile
mailing list