Proposed new FAPI1-Adv test: consistent sub from different authorisations for same client
Issue #548
resolved
We’ve had some reports from Brasil of banks not returning consistent ‘sub’ values (i.e. same client/server pair gets a different sub value for each authorization), and this is causing some issues for clients there.
The Brazil security squad have suggested that we add a test for sub consistency to the FAPI1Advanced tests - a new test that completes two authorisations with the same client and verifies that sub is the same in both cases.
This is quite similar to an existing test in the OpenID Connect tests.
As the certification tests are owned by the FAPI working group, this issue is to check the working group agrees this is a sane test and that there’s no large objections.
I am not sure how we handle rolling out the test. Traditionally we might allow a grace period of at least a month between creating the test and banks being required to pass it for certification. We would have to check with them, but I suspect Brasil would prefer we don’t offer that grace period. If anyone feels the grace period is definitely necessary please say.
Comments (6)
-
-
reporter
Thanks Brian. I had missed that text. I’d always assumed that OIDC core said one user should have exactly one sub (excluding ‘pairwise’), but re-reading it that’s not actually firmly required…
I’ll need to go back to Brazil on that point, I’m not sure they have any further text in their specs about sub.
-
reporter
- changed status to resolved
closing this; feedback so far suggested Brazil haven’t tightened their specs in this area, and other ecosystems (e.g. UK) are deliberately using ephemeral sub, so it looks like there’s little point writing a test. (Many thanks Brian for catching that and saving us a bunch of work.)
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
A reading of 5.1.1. ID Token as Detached Signature suggests the behavior is “is perfectly fine” with FAPI 1.0 Advanced. So this new test should probably be only for the Brazil profiles and treated as an ecosystem specific requirement.