-
assigned issue to
- changed milestone to CIBA Implementer's Draft
Sector id inconsistencies in CIBA
Comments on openid-client-initiated-backchannel-authentication-core-01 (2018-12-13):
CIBA discusses using a sector id to derive pairwise ids in section 4 “Registration and Discovery Metadata” and section 14 “Pairwise Identifiers”, but they are inconsistent. Section 14 says clients MUST specify their sector_identifier_uri if the OP uses pairwise ids; while section 4 says jwks_uri is used as a sector id, then that backchannel_client_notification_endpoint can be used as the sector id, and sector_identifier_uri is merely an option to be the sector id.
Section 4 mentions ways to confirm a client controls the jwks_uri they claim; while section 14 says there is no way to do this for polling mode.
The sector id is presumably the host portion (not the full uri) of sector_identifier_uri, jwks_uri, or backchannel_client_notification_endpoint. The text incorrectly says the URI is the sector id (in the 1st & 2nd paragraphs of “Poll and Ping Modes with Pairwise Identifier”).
The section 4 example “POST /connect/register” needs a “sector_identifier_uri” member since “subject_type” is “pairwise” and section 14 says the clients MUST specify sector_identifier_uri in this case.
Comments (6)
-
-
Thanks James, this is a good catch. I've addressed this in: https://bitbucket.org/openid/mobile/commits/bf7c1189a3021fd9e9d3a92f6ebe1c3b2cd62513
- I've removed Section 14 - it was out of sync with the rest of the draft and I don't think added anything that wasn't covered in Section 4
- I've made it clear that it is the host component of the URI that is the sector identifier
- I've made it clear that jwks_uri is only required for clients registering to use poll or ping modes
With the removal of Section 14, I believe the example if now correct.
In the interest of time I've pushed this straight into the main branch - but it would be good if @b_d_c @james_manger & @ve7jtb could take a quick look.
-
reporter I would prefer to keep: if an OP uses pairwise ids then a CIBA client MUST specify a sector_identifier_uri. Then simplify the other text based on that.
-
So OIDC says that Clients SHOULD specify a
sector_identifier_uri
for pairwise ids. What rationale do we have for upgrading this to a MUST? -
As I read it OIDC says that providers should use
sector_identifier_uri
and leaves it optional for clients. I don't see reason to require it (and place additional demands on clients) in this context. -
- changed status to resolved
thanks to Dave's changes in bf7c118
- Log in to comment