1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fastfed
  4. Issues

[FF-Core] Add fastfed_handshake_id

Issue #11 new
Tim Cappalli created an issue

Microsoft Implementor Feedback

This is just a proposal. If there is general WG agreement, I will create more formal spec text and a PR.

Overview

We'd like to introduce a "handshake ID" into the FastFed handshake to make the exchange closed loop by maintaining context throughout the process.

The handshake ID would be a case-insensitive, relationship-unique string generated by the application provider, included as a query parameter on the handshake start request and in subsequent payloads passed between the two parties. Relationship-unique refers to being unique between an application provider and identity provider. We recommend using a Universally Unique Identifier (UUID) as the handshake ID, but any relationship-unique string with a length between 32 and 48 characters can be used.

Spec Changes

<new section> Application Provider Generates Handshake ID
This section should go between current section 7.2.1.5 and 7.2.1.6
Application provider generates a new unique handshake ID.
<Text about relationship-uniqueness and UUID recommendation>

7.2.1.6. Application Provider Whitelists the Identity Provider
The handshake ID should be stored in the allow list

7.2.2.4. Identity Provider Checks For Duplicates and Updates
Check for existing handshake ID conflicts

7.2.3.1. Identity Provider Sends Registration Request
Include handshake ID in the registration request payload

7.2.3.2. Application Provider Handles Registration Request
Verify the fastfed_handshake_id matches the ID generated during the initial request

7.2.3.3. Application Provider Sends Registration Response
Include handshake ID in registration response

7.2.3.4. Identity Provider Handles Registration Response
IdP validates handshake ID

7.2.4.1. Identity Provider Sends Finalization Request
IdP includes handshake ID in finalization request

7.2.4.2. Application Provider Handles Finalization Request
AP validates the handshake ID

Examples

Handshake Start Request

GET /fastfed/start?
  fastfed_handshake_id=89aad09d-c932-4cdd-a82c-03d5410d8989
  &app_metadata_uri=https%3A%2F%2Ftenant-67890.app.example.com%2Ffastfed%2Fprovider-metadata
  &expiration=1475878357

Host: tenant-12345.idp.example.com

Identity Provider Registration Request (7.2.3.1)

{
    "iss": "https://tenant-12345.idp.example.com",
    "aud": "https://tenant-67890.app.example.com",
    "exp": 1234567890,
    "fastfed_handshake_id": "89aad09d-c932-4cdd-a82c-03d5410d8989",
    "authentication_profiles": [
        "urn:ietf:params:fastfed:1.0:authentication:saml:2.0:enterprise"
    ],
    "provisioning_profiles": [
        "urn:ietf:params:fastfed:1.0:provisioning:scim:2.0:enterprise"
    ],
    "urn:ietf:params:fastfed:1.0:authentication:saml:2.0:enterprise": {
        "saml_metadata_uri": "https://tenant-12345.idp.example.com/saml-metadata.xml",
    },
    "urn:ietf:params:fastfed:1.0:provisioning:scim:2.0:enterprise": {
        "provider_contact_information": {
            "organization": "Example Inc.",
            "phone": "+1-800-555-6666",
            "email": "provisioning@example.com"
        },
        "provider_authentication_methods": {
            "urn:ietf:params:fastfed:1.0:provider_authentication:oauth:2.0:jwt_profile": {
                "jwks_uri": "https://provisioning.example.com/keys"
            }
        }
    }
}

Application Provider Sends Registration Response (7.2.3.3)

{
  "fastfed_handshake_id": "89aad09d-c932-4cdd-a82c-03d5410d8989",
  "fastfed_handshake_finalize_uri": "https://tenant-67890.app.example.com/fastfed/finalize",
  "urn:ietf:params:fastfed:1.0:authentication:saml:2.0:enterprise": {
    "saml_metadata_uri": "https://tenant-67890.app.example.com/saml-metadata.xml"
  },
  "urn:ietf:params:fastfed:1.0:provisioning:scim:2.0:enterprise": {
    "scim_service_uri": "https://tenant-67890.app.example.com/scim",
    "provider_authentication_methods": "urn:ietf:params:fastfed:1.0:provider_authentication:oauth:2.0:jwt_profile",
    "urn:ietf:params:fastfed:1.0:provider_authentication:oauth:2.0:jwt_profile": {
      "token_endpoint": "https://tenant-67890.app.example.com/oauth",
      "scope": "scim"
    }
  }
}

Identity Provider Sends Finalization Request (7.2.4.1)

{
  "iss": "https://tenant-12345.idp.example.com",
  "aud": "https://tenant-67890.app.example.com",
  "exp": 1234567890,
  "fastfed_handshake_id": "89aad09d-c932-4cdd-a82c-03d5410d8989"
}

Comments (2)

  1. Tim Cappalli reporter

    Feedback from implementor’s discussions:

    • Should this actually be a “relationship ID” if it is designed to persist beyond the handshake?

      • In some cases, the FF entity ID cannot be unique per relationship (multi tenancy and multiple apps per tenant)

  3. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
new
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!