- changed status to open
more definition of s_hash
In Issue #109 I've suggested that maybe s_hash isn't needed but, if it does stay, I think it needs a bit more definition.
OAuth and OIDC both have state as recommended but not required. So the definition of s_hash needs to clearly state what should happen when state was omitted from the authentication request and thus authentication response. I'd assume that s_hash would be omitted from the ID Token when state wasn't present. But I think the document should be explicit about it.
The document should also probably make an IANA request to register s_hash in the JWT claims registry https://www.iana.org/assignments/jwt/jwt.xhtml#claims
Comments (18)
-
-
reporter RFC6749 and OIDC both allow for the omission of
state
so I'm just saying that this document should properly account for that situation in definings_hash
, which is dependent onstate
. I don't think additional requirements (like makingstate
required) should be added unless there's a compelling reason to do so. -
So,
state
is acting as the UA identifier. If we stick to BCM principles[1], the message should include UA identifier so we should be requiring it in Part 1 as that is pretty much the only parameter that can be used for this purpose in the pure OAuth case in Part 1. I will make a separate ticket for it.[1] See https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pptx and https://zisc.ethz.ch/wp-content/uploads/2017/02/sakimura_future-proofing-oauth.pdf
-
-
assigned issue to
- changed milestone to R3 - Nov 2017
Will create the IANA consideration section for the final.
-
assigned issue to
-
reporter I still think that for the sake of interoperability, the definition of
s_hash
should say what the behavior is when nostate
is provided in the request. In the case of OIDC, which is the context wheres_hash
is applicable, nonce is the UA identifier. Even if FAPI requiresstate
, support ofs_hash
will be built into servers that support general OIDC and have to account forstate
not being present in the authentication request. -
OK. So, stating that
s_hash
needs to be there if the request containedstate
ok? -
-
assigned issue to
-
assigned issue to
-
- changed status to resolved
Make it explicit that s_hash is only required if client supplies state
fixes
#110→ <<cset c6aae1e747b6>>
-
reporter - changed status to open
The document should also make an IANA request to register s_hash in the JWT claims registry https://www.iana.org/assignments/jwt/jwt.xhtml#claims
-
Part 2 IANA Considerations should have it.
-
reporter But Part 2 doesn't have IANA Considerations?
-
-
assigned issue to
-
assigned issue to
-
-
assigned issue to
-
assigned issue to
-
-
- changed status to resolved
PR merged
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
Good point re IANA.
Re: omission of
state
: Is it not better to requiredstate
?