Messages, Standard - Define self issued OP mechanism

Comments (9)

1. 

   Nat Sakimura reporter

   • attached self-issued whiteboard 2-Mar-12.jpg

   • 2012-04-23T23:40:28+00:00
2. 

   Nat Sakimura reporter

   Here is a rendition of the whiteboard photo:

   Registration
   Discovery
   
   token id_token flow
   Auth openid:string
   client_id Real URI
   UserInfo Real URI
   -----------------------------
   iss selfissued.me
   user_id public key Base64
   
   access token JWS
      ---
      ---
      ---
   

   • 2012-04-24T00:12:09+00:00
3. 

   Nat Sakimura reporter

   • changed status to open

   After having thought a little, I have a problem with user_id as being base64url encoded public key. It probably is going to be too large for many RPs to fit into their database field.

   Instead, I would propose base64url_encode(sha1(public key)) as user_id and sending public key in a separate field.

   • 2012-04-24T00:14:25+00:00
4. 

   Nat Sakimura reporter

   • marked as proposal

   • 2012-04-24T00:14:39+00:00
5. 

   John Bradley

   I would be more comfortable staying away from SHA1.

   1. The sender would create a 2048 bit RSA key pair for the RP.

   2. The JWT would contain a JWK claim containing the public key.

   "user_jwk": {
           "alg":"RSA",
           "mod": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx
      4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs
      tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2
      QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI
      SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb
      w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw",
           "exp":"AQAB"  
      }
   

   3. Make the value of user_id a base64 encoded SHA256 hash of the concatenated mod and exp values.

   4. Make the value of "iss":"https://self-issued.me"

   When a RP gets an assertion. It might use the check_id endpoint for the issuer. So the check_id endpoint for https://self-issued.me can validate the assertion.

   If directly validating the RP. Looks at iss. If it is "https://self-issued.me" take the user_jwk from the assertion and validate the signature, if that validates hash the concatenation of mod and exp and compare to user_id if they match the assertion is good.

   If the issuer is not "https://self-issued.me" look up the issuer and validate the signature based on the known public key.

   The question is if we should use the same trick to put the user_info contents into the access token or another token.

   The user_id claim would be validated by the RP in the same way.

   • 2012-04-30T16:46:37+00:00
6. 

   Axel Nennker

   The check_id endpoint is gone as per today.

   We need a way to detect that the assertion is self issued.

   This could be the presense of "user_jwk" or e.g. something in "acr" which might be REQUIRED for self issued assertions.

   "acr" : { "values" : ["self-issued"] }

   Or we could put the user_jwk into the acr as well like

   "acr" : { "values" : ["self-issued"], "user_jwk" : {....} }

   To detect whether an assertion is self issued an RP would first look at acr (if present)

   • 2012-05-01T00:29:17+00:00
7. 

   Nat Sakimura reporter

   So, John's proposal to indicate that it is an self-issued idp was that

   "iss":"https://self-issued.me"
   

   Are you suggesting that in addition to it, it should indicate it in the 'acr'?

   • 2012-05-01T01:30:30+00:00
8. 

   John Bradley

   The remaining comment was addressed in section 3 of the implicit profile. The self issue info needs to be added to Messages and the other specs.

   • 2012-10-01T14:24:50+00:00
9. 

   Michael Jones

   • changed status to resolved

   Completed some time ago

   • 2012-12-04T00:05:52+00:00
10. Log in to comment