[openid-specs-rande] Fwd: R&Sv2 discussion / OIDC (from Mischa Salle)
Marcus Hardt
hardt at kit.edu
Mon Feb 15 09:46:39 UTC 2021
On 15. Feb 2021 09:17, Mischa Salle wrote:
> Hi Marcus, Davide, all,
>
> On Mon, Feb 15, 2021 at 09:01:28AM +0100, Marcus Hardt wrote:
> > On 12. Feb 2021 18:28, Davide Vaghetti wrote:
> > > I've given just a quick look at the current discussion. What I found it
> > > really hard to understand is how the R&Sv2 EC could be used to "fix" all
> > > that's (supposedly) wrong in OIDC core --- read that the sub is not
> > > globally unique per se, but MUST be combined with the iss.
> >
> > I think there is a certain frustration in the discussion, because
> > SAML-fans are very unpleased with the need to generate sub at iss. And there
> > are pitfalls, that might need to be addressed. (e.g. whether to
> > `lstrip('https://')` or if `urlencode(sub|iss)` make sense).
>
> but why would you need to combine them into one? Why not just keep the
> tuple {sub,iss} ? I think the idea that we need to have a single
> attribute is itself SAML-inspired (although convenient).
> If you want to know if claim-set A and claim-set B belong to the same
> subject, you compare the iss and the sub independently?
In the end, this is an implementation choice at the RP. Implementations
that add OIDC support after initial SAML support, might have no other
choice. But this is likely nothing we Refeds have to care about.
> I agree that there are many pitfalls once you start messing around with
> the values. If we think there is an (additional) need for a single
> globally unique identifier, it's probably better to add it
> independently, e.g. as subject-id or eduperson_unique_id.
Yep. And it might be a good idea to give guidance on how these IDs
_should_ be created from {sub,iss}, in order to avoid confusion in cases
where different OP implementations provide {sub, iss,
eduperson_unique_id}.
> > Discussing them in rande, and suggesting something coherent for R&Cv2 is
> > probably a good idea.
>
> Yep, fully agree!
Marcus.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20210215/e9f74537/attachment.asc>
More information about the openid-specs-rande
mailing list