- changed status to open
Meaning of the Surrogate Identifier Clause not clear
In DDA, it was using "Surrogate Identity" without defining what is identity. It looks like it meant to be "identifier".
Even then, the meaning of the clause is not clear.
For example, the meaning of
OAuth creates a surrogate identifier for a Login (entity)
is not clear. OAuth does not create an identifier that represents a Login (= user identity). It just represents the access grant. It is a well known security hole to mistake access and refresh tokens with user identity.
If one wants to use them as such, the Client needs to at least verify that:
- the token was issued for the client
- the token was issued by the intended issuer
- the token maps to one user identifier
etc. It will eventually end-up as being semantically equal to (minimum) ID Token.
Also, it seems to be asking for RT and AT to be persistent. Not sure if that is a good idea.
Comments (7)
-
reporter -
reporter -
assigned issue to
-
assigned issue to
-
• Surrogate identifier is recommended to be sent in place of the PII (personal identifier information) such as bank real account number.
-
Nat,
I know OPENID connect solved the user identity problem ... In OAUTH that was missing so we added a Surrogate identifier "User id" as additional attribute to OAUTH response when tokens are generated for successful login.
let me know, if we need to review few of open items next week meeting
-
reporter Ah, ok,
user_id
and surrogate identifiers are closely related.Then, suggest we close this ticket and continue tracking with
#22. -
reporter - changed component to Part 4: Protected Resources - RO
-
- edited description
- changed status to wontfix
Data specs no longer being worked on
- Log in to comment
Maybe we should drop the clause.