- attached self-issued whiteboard 2-Mar-12.jpg
Messages, Standard - Define self issued OP mechanism
Turn the white board diagram at RSA to text.
Comments (9)
-
reporter -
reporter Here is a rendition of the whiteboard photo:
Registration Discovery token id_token flow Auth openid:string client_id Real URI UserInfo Real URI ----------------------------- iss selfissued.me user_id public key Base64 access token JWS --- --- ---
-
reporter - changed status to open
After having thought a little, I have a problem with user_id as being base64url encoded public key. It probably is going to be too large for many RPs to fit into their database field.
Instead, I would propose base64url_encode(sha1(public key)) as user_id and sending public key in a separate field.
-
reporter - marked as proposal
-
I would be more comfortable staying away from SHA1.
1. The sender would create a 2048 bit RSA key pair for the RP.
2. The JWT would contain a JWK claim containing the public key.
"user_jwk": { "alg":"RSA", "mod": "0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx 4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMs tn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2 QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbI SD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqb w0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", "exp":"AQAB" }
3. Make the value of user_id a base64 encoded SHA256 hash of the concatenated mod and exp values.
4. Make the value of "iss":"https://self-issued.me"
When a RP gets an assertion. It might use the check_id endpoint for the issuer. So the check_id endpoint for https://self-issued.me can validate the assertion.
If directly validating the RP. Looks at iss. If it is "https://self-issued.me" take the user_jwk from the assertion and validate the signature, if that validates hash the concatenation of mod and exp and compare to user_id if they match the assertion is good.
If the issuer is not "https://self-issued.me" look up the issuer and validate the signature based on the known public key.
The question is if we should use the same trick to put the user_info contents into the access token or another token.
The user_id claim would be validated by the RP in the same way.
-
The check_id endpoint is gone as per today.
We need a way to detect that the assertion is self issued.
This could be the presense of "user_jwk" or e.g. something in "acr" which might be REQUIRED for self issued assertions.
"acr" : { "values" : ["self-issued"] }
Or we could put the user_jwk into the acr as well like
"acr" : { "values" : ["self-issued"], "user_jwk" : {....} }
To detect whether an assertion is self issued an RP would first look at acr (if present)
-
reporter So, John's proposal to indicate that it is an self-issued idp was that
"iss":"https://self-issued.me"
Are you suggesting that in addition to it, it should indicate it in the 'acr'?
-
The remaining comment was addressed in section 3 of the implicit profile. The self issue info needs to be added to Messages and the other specs.
-
- changed status to resolved
Completed some time ago
- Log in to comment