[openid-specs-rande] Fwd: R&Sv2 discussion / OIDC (from Mischa Salle)
Mischa Salle
msalle at nikhef.nl
Mon Feb 15 08:17:43 UTC 2021
Hi Marcus, Davide, all,
On Mon, Feb 15, 2021 at 09:01:28AM +0100, Marcus Hardt wrote:
> On 12. Feb 2021 18:28, Davide Vaghetti wrote:
> > I've given just a quick look at the current discussion. What I found it
> > really hard to understand is how the R&Sv2 EC could be used to "fix" all
> > that's (supposedly) wrong in OIDC core --- read that the sub is not
> > globally unique per se, but MUST be combined with the iss.
>
> I think there is a certain frustration in the discussion, because
> SAML-fans are very unpleased with the need to generate sub at iss. And there
> are pitfalls, that might need to be addressed. (e.g. whether to
> `lstrip('https://')` or if `urlencode(sub|iss)` make sense).
but why would you need to combine them into one? Why not just keep the
tuple {sub,iss} ? I think the idea that we need to have a single
attribute is itself SAML-inspired (although convenient).
If you want to know if claim-set A and claim-set B belong to the same
subject, you compare the iss and the sub independently?
I agree that there are many pitfalls once you start messing around with
the values. If we think there is an (additional) need for a single
globally unique identifier, it's probably better to add it
independently, e.g. as subject-id or eduperson_unique_id.
> Discussing them in rande, and suggesting something coherent for R&Cv2 is
> probably a good idea.
Yep, fully agree!
Mischa
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email msalle at nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20210215/a4dd64f3/attachment.asc>
More information about the openid-specs-rande
mailing list