1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. OBUK
  4. Issues

Security profile 8.2 questions

Issue #11 closed
Joseph Heenan created an issue

I'm comparing the OB security profile to the upstream FAPI.

It appears that clause 8.2 is not an exact copy of anything that was ever in the FAPI standard:

It is not mandated that the Authorization request and response are authenticated. Use of request object for the Authorization request and returning an ID token in the Authorization response should be considered to provide message source authentication and integrity protection.

So that this text references the FAPI standard, I am considering replacing it with:

It is not mandated that the Authorization request and response are authenticated. To provide message source authentication and integrity protection:

   * Authorization servers should support the Request Object Endpoint as per FAPI part 2 clause 7
   * Clients should Use request_uri in the Authorization request as per FAPI part 2 clause 5.2.2.1
   * Authorization servers should return an ID token as a detached signature to the authorization response as per FAPI part 2 clause 5.2.2.3.

It may be that this should be merged into the core section of the spec, but I guess that could be done later if felt right - the main question is have I captured the essence of what this text was intended to mean?

(ignore my first attempt at this question, I was comparing against the wrong section of FAPI.)

Comments (3)

  2. Joseph Heenan reporter

    Comment from Ralph via email:

    We don't support request_uri yet (only one vendor and subsequently 1/9 of the banks supported it). It's probably why this section was changed to just that sentence as opposed to the one you're proposing.

    Only request object by value not reference is mandated.

    On your proposed change - should request_uri be used you should put something in to make it clear that "clients should use the request_uri endpoint made available / hosted by the authorisation server"

    As per 7.1 The request URI can be hosted by the client or by the authorization server. The advantage of the authorization server hosting the request object is that it doesn't have to support outbound requests to a client specified request URI nor rely on the entropy of the URI for the confidentiality of the request object.

  3. Pamela Dingle

    Reword request object section with explicit references to FAPI

    This simply clarifies the intend of this section, which is to allow banks the option to add support for request_uri if they desire.

    It is worded as 'should' as FAPI part 2 requires request object support, and hence banks should support request objects, given the long term desire that OB banks are compliant with FAPI.

    closes #11

    → <<cset 8236d9c53964>>

  4. Log in to comment
Assignee
Type
bug
Priority
major
Status
closed
Component
Security Profile
Version
0.95 (current working version)
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!