- changed status to open
more definition of s_hash
Issue #110
resolved
In Issue #109 I've suggested that maybe s_hash isn't needed but, if it does stay, I think it needs a bit more definition.
OAuth and OIDC both have state as recommended but not required. So the definition of s_hash needs to clearly state what should happen when state was omitted from the authentication request and thus authentication response. I'd assume that s_hash would be omitted from the ID Token when state wasn't present. But I think the document should be explicit about it.
The document should also probably make an IANA request to register s_hash in the JWT claims registry https://www.iana.org/assignments/jwt/jwt.xhtml#claims
Comments (18)
-
-
reporter
RFC6749 and OIDC both allow for the omission of
stateso I'm just saying that this document should properly account for that situation in definings_hash, which is dependent onstate. I don't think additional requirements (like makingstaterequired) should be added unless there's a compelling reason to do so. -
So,
stateis acting as the UA identifier. If we stick to BCM principles[1], the message should include UA identifier so we should be requiring it in Part 1 as that is pretty much the only parameter that can be used for this purpose in the pure OAuth case in Part 1. I will make a separate ticket for it.[1] See https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pptx and https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pdf
-
-
assigned issue to
Edmund Jay
- changed milestone to R3 - Nov 2017
Will create the IANA consideration section for the final.
-
assigned issue to
-
reporter
I still think that for the sake of interoperability, the definition of
s_hashshould say what the behavior is when nostateis provided in the request. In the case of OIDC, which is the context wheres_hashis applicable, nonce is the UA identifier. Even if FAPI requiresstate, support ofs_hashwill be built into servers that support general OIDC and have to account forstatenot being present in the authentication request. -
OK. So, stating that
s_hashneeds to be there if the request containedstateok? -
-
assigned issue to
Joseph Heenan
-
assigned issue to
-
- changed status to resolved
Make it explicit that s_hash is only required if client supplies state
fixes
#110→ <<cset c6aae1e747b6>>
-
reporter
- changed status to open
The document should also make an IANA request to register s_hash in the JWT claims registry https://www.iana.org/assignments/jwt/jwt.xhtml#claims
-
Part 2 IANA Considerations should have it.
-
reporter
But Part 2 doesn't have IANA Considerations?
-
-
assigned issue to
Nat Sakimura
-
assigned issue to
-
-
assigned issue to
Dave Tonge
-
assigned issue to
-
-
- changed status to resolved
PR merged
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- FAPI 1: Advanced
- Milestone
- R3 - Nov 2017
- Votes
- 0
- Watchers
- 5
Good point re IANA.
Re: omission of
state: Is it not better to requiredstate?