1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. mobile
  4. Issues

Sector id inconsistencies in CIBA

Issue #132 resolved
James Manger created an issue

Comments on openid-client-initiated-backchannel-authentication-core-01 (2018-12-13):

CIBA discusses using a sector id to derive pairwise ids in section 4 “Registration and Discovery Metadata” and section 14 “Pairwise Identifiers”, but they are inconsistent. Section 14 says clients MUST specify their sector_identifier_uri if the OP uses pairwise ids; while section 4 says jwks_uri is used as a sector id, then that backchannel_client_notification_endpoint can be used as the sector id, and sector_identifier_uri is merely an option to be the sector id.

Section 4 mentions ways to confirm a client controls the jwks_uri they claim; while section 14 says there is no way to do this for polling mode.

The sector id is presumably the host portion (not the full uri) of sector_identifier_uri, jwks_uri, or backchannel_client_notification_endpoint. The text incorrectly says the URI is the sector id (in the 1st & 2nd paragraphs of “Poll and Ping Modes with Pairwise Identifier”).

The section 4 example “POST /connect/register” needs a “sector_identifier_uri” member since “subject_type” is “pairwise” and section 14 says the clients MUST specify sector_identifier_uri in this case.

Comments (6)

  2. Dave Tonge

    Thanks James, this is a good catch. I've addressed this in: https://bitbucket.org/openid/mobile/commits/bf7c1189a3021fd9e9d3a92f6ebe1c3b2cd62513

    • I've removed Section 14 - it was out of sync with the rest of the draft and I don't think added anything that wasn't covered in Section 4
    • I've made it clear that it is the host component of the URI that is the sector identifier
    • I've made it clear that jwks_uri is only required for clients registering to use poll or ping modes

    With the removal of Section 14, I believe the example if now correct.

    In the interest of time I've pushed this straight into the main branch - but it would be good if @b_d_c @james_manger & @ve7jtb could take a quick look.

  3. James Manger reporter

    I would prefer to keep: if an OP uses pairwise ids then a CIBA client MUST specify a sector_identifier_uri. Then simplify the other text based on that.

  4. Dave Tonge

    So OIDC says that Clients SHOULD specify a sector_identifier_uri for pairwise ids. What rationale do we have for upgrading this to a MUST?

  5. Brian Campbell

    As I read it OIDC says that providers should use sector_identifier_uri and leaves it optional for clients. I don't see reason to require it (and place additional demands on clients) in this context.

  7. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
CIBA
Milestone
CIBA Implementer's Draft
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!