[Openid-specs-mobile-profile] Issue #132: Sector id inconsistencies in CIBA (openid/mobile)

Fri Dec 14 03:15:49 UTC 2018

New issue 132: Sector id inconsistencies in CIBA
https://bitbucket.org/openid/mobile/issues/132/sector-id-inconsistencies-in-ciba

James Manger:

Comments on openid-client-initiated-backchannel-authentication-core-01 (2018-12-13):

CIBA discusses using a sector id to derive pairwise ids in section 4 “Registration and Discovery Metadata” and section 14 “Pairwise Identifiers”, but they are inconsistent. Section 14 says clients MUST specify their sector_identifier_uri if the OP uses pairwise ids; while section 4 says jwks_uri is used as a sector id, then that backchannel_client_notification_endpoint can be used as the sector id, and sector_identifier_uri is merely an option to be the sector id.

Section 4 mentions ways to confirm a client controls the jwks_uri they claim; while section 14 says there is no way to do this for polling mode.

The sector id is presumably the *host portion* (not the full uri) of sector_identifier_uri, jwks_uri, or backchannel_client_notification_endpoint. The text incorrectly says the URI is the sector id (in the 1st & 2nd paragraphs of “Poll and Ping Modes with Pairwise Identifier”).

The section 4 example “POST /connect/register” needs a “sector_identifier_uri” member since “subject_type” is “pairwise” and section 14 says the clients MUST specify sector_identifier_uri in this case.