CIBA Pairwise Identifiers Structuring Text

Issue #52 resolved
Axel Nennker created an issue

Comments (10)

  1. Axel Nennker reporter

    Hi all,

    I created https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text to keep track of this.

    In pseudo code the calculation of sub could look like this:

    // Client is authenticated at this point
    If (client.sector_identifier) then 
      // if we have a registered client identifier then use it
      sub = SHA-256 ( client.sector_identifier || local_account_id || salt );
    else 
      //need to determine sector_identifier to use as non is registered for this Client
      If (request_object && client.jwks_uri) then
        // request object signature is valid and key from client.jwks_uri was used to sign it
        sub = SHA-256 ( client.jwks_uri || local_account_id || salt );
      else 
        // no registered sector_identifier, no request_object
        if (client.notification_uri) then
          // not polling but notification mode
          sub = SHA-256 ( client.notification_uri || local_account_id || salt );
        else
          // polling mode but not sector_identifier registered 
          response.setError(invalid_request);
          logError(invalid_request, no sector identifier for %s, client.id);
          return;
        endif
      endif
    endif
    // have sub that is a pairwise identifier here
    

    Having said all that I currently tend to change the spec to say: “In CIBA the Client MUST specify the sector_identifier_uri at registration time if the OP uses Pairwise Identifiers which is strongly recommended”.

    Should we make sector_identifier_uri mandatory for CIBA and cull all other Pairwise Identifier text?

    Cheers Axel

  2. Gonzalo Fernández

    I agree that sector_identifier_uri MUST be specified by the client when Pairwise identifiers is used.

  3. John Bradley
    • changed status to open

    Issue not resolved unless there is some way for the AS to verify the sector identifier. With post post back there is no verification as there is no redirect_uri used.

  4. Gonzalo Fernández

    A proposal from John is to allow using Pairwise Pseudonymous Identifiers only in the case a jwks_uri is registered when the grant-type backchannel_request is registered. In that case the client could use PPIDs as long as it uses mutual TLS authentication to authenticate the token endpoint or the private_key_jwt defined in section 9 of the OpenID core spec. Additiionally it would be OPTIONAL to use signed request object in CIBA authentication requests.

  5. Gonzalo Fernández

    Mutual TLS authentication to the token endpoint was added to the spec, so Clients that registers a jwks_uri when using the backchannel_request grant_type can use this uri as a verified sector identifier and so that they can use PPIDs.

  6. Gonzalo Fernández

    The commit #679a571 adds a "Registration" section that shows How To Use PPIDs when using Polling mechanism. In the #ad81186 commit we ammend the spec adding using mutual tls or private_key_jwt to authenticate the "Token Endpoint" as mandatory to use PPIDs.

  7. Gonzalo Fernández

    The commit #679a571 adds a "Registration" section that shows How To Use PPIDs when using Polling mechanism. In the #ad81186 commit we ammend the spec adding using mutual tls or private_key_jwt to authenticate the "Token Endpoint" as mandatory to use PPIDs.

  8. Log in to comment