I have been implementing a chooser for SIOP. One thing that has struck me is that if a URL AR is allowed there is no real way for the SIOP (aka user) to know the identity of the client. There is a client ID (could be made up) and a redirect which is be best evidence, but i don’t know how to turn that redir URL into a value that the user could understand. Therefore i would like to enforce the use of a signed packet from the client (relying party) for all siop operations. I would required that the sig match the key and the the client id be something recognizable, or that we we create/require a new field to identify the client in terms that the user can understand. (A JAR is just my suggestion. Other suggestions welcomed.)
THIS IS A SECURITY AND PRIVACY ISSUE which i consider to be pri one.
See the following for related commentary. https://bitbucket.org/openid/connect/issues/1045/signalling-that-a-request-object-must