CIBA Pairwise Identifiers Structuring Text

Comments (10)

1. 

   Axel Nennker reporter

   Hi all,

   I created https://bitbucket.org/openid/mobile/issues/52/ciba-pairwise-identifiers-structuring-text to keep track of this.

   In pseudo code the calculation of sub could look like this:

   // Client is authenticated at this point
   If (client.sector_identifier) then 
     // if we have a registered client identifier then use it
     sub = SHA-256 ( client.sector_identifier || local_account_id || salt );
   else 
     //need to determine sector_identifier to use as non is registered for this Client
     If (request_object && client.jwks_uri) then
       // request object signature is valid and key from client.jwks_uri was used to sign it
       sub = SHA-256 ( client.jwks_uri || local_account_id || salt );
     else 
       // no registered sector_identifier, no request_object
       if (client.notification_uri) then
         // not polling but notification mode
         sub = SHA-256 ( client.notification_uri || local_account_id || salt );
       else
         // polling mode but not sector_identifier registered 
         response.setError(“invalid_request”);
         logError(“invalid_request”, “no sector identifier for %s”, client.id);
         return;
       endif
     endif
   endif
   // have sub that is a pairwise identifier here
   

   Having said all that I currently tend to change the spec to say: “In CIBA the Client MUST specify the sector_identifier_uri at registration time if the OP uses Pairwise Identifiers which is strongly recommended”.

   Should we make sector_identifier_uri mandatory for CIBA and cull all other Pairwise Identifier text?

   Cheers Axel

   • 2017-05-24T08:06:29+00:00
2. 

   Gonzalo Fernández

   I agree!

   • 2017-06-08T14:40:55+00:00
3. 

   Gonzalo Fernández

   • changed status to resolved

   I agree that sector_identifier_uri MUST be specified by the client when Pairwise identifiers is used.

   • 2017-06-08T14:42:17+00:00
4. 

   John Bradley

   This is not resolved unless there is some way to verify the sector identifier.

   • 2018-02-20T15:19:49+00:00
5. 

   John Bradley

   • changed status to open

   Issue not resolved unless there is some way for the AS to verify the sector identifier. With post post back there is no verification as there is no redirect_uri used.

   • 2018-02-20T15:21:11+00:00
6. 

   Gonzalo Fernández

   A proposal from John is to allow using Pairwise Pseudonymous Identifiers only in the case a jwks_uri is registered when the grant-type backchannel_request is registered. In that case the client could use PPIDs as long as it uses mutual TLS authentication to authenticate the token endpoint or the private_key_jwt defined in section 9 of the OpenID core spec. Additiionally it would be OPTIONAL to use signed request object in CIBA authentication requests.

   • 2018-03-22T16:15:29+00:00
7. 

   Gonzalo Fernández

   Mutual TLS authentication to the token endpoint was added to the spec, so Clients that registers a jwks_uri when using the backchannel_request grant_type can use this uri as a verified sector identifier and so that they can use PPIDs.

   • 2018-05-29T13:57:10+00:00
8. 

   Bjorn Hjelm

   • changed component to CIBA

   • 2018-05-29T14:10:23+00:00
9. 

   Gonzalo Fernández

   The commit #32a8a30 adds a "Registration" section that shows How To Use PPIDs when using Polling mechanism. In the #587ee61 commit we ammend the spec adding using mutual tls or private_key_jwt to authenticate the "Token Endpoint" as mandatory to use PPIDs.

   • 2018-06-04T06:21:09+00:00
10. 

    Gonzalo Fernández

    • changed status to resolved

    The commit #32a8a30 adds a "Registration" section that shows How To Use PPIDs when using Polling mechanism. In the #587ee61 commit we ammend the spec adding using mutual tls or private_key_jwt to authenticate the "Token Endpoint" as mandatory to use PPIDs.

    • 2018-06-04T06:21:21+00:00
11. Log in to comment