How does RP determine sub type?

Comments (12)

1. 

   Kristina Yasuda

   What has been discussed is

   • using OpenID Federation style entity statements for RP to look up which sub type SIOP uses

   • using SIOP Chooser (Issue #1212), where RP knows subject_identifier_types_supported of a SIOP set to which a particularSIP instance belongs to

   However, even then, if entity statement or a SIOP set says that a SIOP instance supports both, there is still no way for a RP to determine which subject identifier type is used in a particular ID token.

   Should an additional parameter subject_identifier_type_used be included in the response for RP to know?

   • 2021-07-07T02:49:32+00:00
2. 

   Torsten Lodderstedt

   I think the sub type must be part of the ID token.

   • 2021-07-07T16:58:44+00:00
3. 

   Michael Jones

   We’re previously talked about having the SIOP V2 sub values be URIs, so that their type is self-describing. We could create a JWK Thumbprint URN specification in IETF for the case where the subject refers to a key.

   • 2021-07-08T14:44:13+00:00
4. 

   Alen Horvat

   RP should be able to determine the sub type. See my last comment in https://bitbucket.org/openid/connect/issues/1262/example-of-did-based-sub

   If it doesn’t solve the issue → Both approaches (URI or sub_type param) are future proof. How complex is to create JWK Thumbprint URN specification in IETF?

   • 2021-07-08T19:17:56+00:00
5. 

   Kristina Yasuda

   • changed status to open

   on 2021-07-08 call, two approaches were discussed: 1/ add new metadata property to ID Token that explicitly allows RP to identify which sub type is used 2/ use URIs in sub so that RP can determine the type based on that URI

   • 2021-07-08T19:50:03+00:00
6. 

   Kristina Yasuda

   • assigned issue to
     
     Kristina Yasuda

   to describe the way the relying party determines subject_identifier_type as part of the ID token validation

   • 2021-07-09T02:38:10+00:00
7. 

   Kristina Yasuda

   Re-assigning to Mike to create JWK thumbprint URN specification

   • 2021-09-10T15:57:13+00:00
8. 

   David Waite

   I’ll see if I can post some napkin math, but we may wish to forego a jwk thumbprint uri and instead have a jwk uri outright.

   Size wise: There’s a balance between the growth from having large scalars b64 encoded twice vs including a thumbprint.

   Simplicity wise: the creator of the URI is responsible for keeping it consistent as an identifier. You don’t need JWK thumbprints, which not all JWS libs expose

   • 2021-09-13T23:24:16+00:00
9. 

   Kristina Yasuda

   why jwk instead of jwk thumbprint?

   • 2021-09-15T01:22:14+00:00
10. 

    David Waite Account Deactivated

    With a thumbprint, you need to send the actual key as well.

    • 2021-09-15T04:03:16+00:00
11. 

    Kristina Yasuda

    Currently, if subject syntax type is did, sub=did:<method name>:<identifier> and sub_jwk is omitted; if subject syntax type is jwk, sub_jwk is present. the RP would look at sub syntax and the presence/absence of sub_jwk. Does this makes sense? Is this sufficient from the RP perspective?

    PS I added the text clarifying this in PR #68

    • 2021-11-18T05:20:09+00:00
12. 

    Kristina Yasuda

    • changed status to resolved

    Resolved with the introduction of JWK thumbprint URI (currently individual draft status in IETF) and hte following text in the ID Token Verification section

    The RP MUST identify which Subject Syntax Type is used based on the URI of the sub Claim. Valid values defined in this specification are urn:ietf:params:oauth:jwk-thumbprint for JWK Thumbprint Subject Syntax Type and did: for Decentralized Identifier Subject Syntax Type.

    • 2021-12-09T18:43:42+00:00
13. Log in to comment