Celia Brockman | 30 May 11:21 2015
Picon

[OpenID] (no subject)

I do not have any idea what your referring to

_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Peter Williams | 27 May 22:08 2015
Picon

[OpenID] implicit and id_token

one thing I'm finding interesting is the world in which .js apps not only obtain control over the an id_token blob (via openid connect handshakes using the implicit flow) but use it (vs an access token) to talk to one or more API endpoints.

Its interesting because of semantic differences - differences from the classical oauth2 world of access tokens, of course. Certs are audience-free, of course (being intended for use by anyone, in a process of relying on digital signatures). Both Audience-free and audience-controlled id_tokens are now interesting. The combination of the audience-free cert (shared with an API endpoint using SSL client authn) and the audience-free/controlled id_token, is also very interesting combination - particularly when the cert is self-signed.

One can see a world in which consumers post the (self-signed) cert and the id_token to a discovery-site ...that allows others to discover the asserted binding between the cert and the id_token, facilitating lots more digital signature uptake. One sees how the id_token might be "signing" that document (if you recall how in ws-* land, tokens could "sign" (XML) messages).
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Celia Brockman | 22 May 11:00 2015
Picon

[OpenID] (no subject)

_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Celia Brockman | 21 May 22:21 2015
Picon

[OpenID] (no subject)

_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Andy Brown | 20 May 16:27 2015

[OpenID] Native App and web API: Is this the proper use of OpenID Connect for this use case?

I'm trying to understand how to use OpenId Connect in the following use case. Let's say we just have the
following 3 components: 

* Web app with an exposed API (Service Provider aka SP). 
* A separate authentication server (Identify Provider aka IDP) used for SSO with the above SP. 
* A native client app used by the End User. This client app uses the SP's API. 

All traffic would be over HTTPS. Here's how I envision the OpenID Connect process working: 

1. The native app would request a "token" from the SP. 
2. The SP would see the user isn't authenticated and ask for verification from the trusted IDP. 
3. After the user's credentials are provided to the IDP, the IDP would return an ID token and Access token to
the SP. 
4. The SP would verify the ID token and give the Access token to the native client app to use for all subsequent
requests to the API. 

Is this the recommended way to use OpenID Connect in this situation? Any obvious security concerns? The
only one I see is that the native client app could use the Access token to access the User Info endpoint at the
IDP. 

Thanks for any help! 

- Andy 
Janusz Ulanowski | 6 May 12:56 2015
Picon

[OpenID] dynamic registration

Hi,
I've just read spec 
http://openid.net/specs/openid-connect-registration-1_0.html
And it looks like there is not option to some kind of validation like 
verify if requesting client is a owner of of keys jwks_uri
Maybe such request could be signed and then validated by auth server - 
if not then how could I verify if client is in my predefined trust group 
(similar to SAML Federaition)?
thanks.
--

-- 
janusz
Adam Dawes | 17 Apr 09:33 2015
Picon

[OpenID] oidf-specs-risc <at> lists.openid.net

Hi everyone,

I just wanted to announce the creation of the RISC working group mailing list (oidf-specs-risc <at> lists.openid.net). If you would like to subscribe to the list, go to:


Please note that the list is free for anyone to subscribe to but only those who have submitted their IPR agreement to the OpenID Foundation will be able to post to the list. 

There is also a RISC page on the openid.net web site. Please take a look at:


thanks,
AD
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Mike Jones | 17 Apr 02:45 2015
Picon

[OpenID] Final OpenID 2.0 to OpenID Connect Migration Specification Approved

_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Cal Heldenbrand | 15 Apr 21:11 2015

[OpenID] OIDC federation using ID Tokens as OAuth2 grants

Hi everyone,

I've been doing a lot of reading on OpenID Connect, and there's one area that I'm a little confused on -- federated identities.  My curiosity was piqued from Page 225 of the book Advanced API Security.  In particular, this quote:

...you need to find a way to exchange the ID token received in OpenID Connect authentication for an OAuth access token, which is defined in the JWT grant types for the OAuth 2.0 specification.  Once the web application receives the ID token ... it has to exchange it for an access token by talking to the OAuth authorization server.  The authorization server must trust the OpenID Connect identity provider.

I realize this is a grey area between OIDC and OAuth2... but are there any spec documents that outline this trust relationship, and how it applies to ID Tokens in particular?  (Also, are there any known implementations out there that actually use this?)

I've read through the draft-ietf-oauth-jwt-bearer document, and it seems very close to what I was looking for.  But the JWT format is a little different from an ID Token, and the audience is not in the format of a typical client_id.  And, I was assuming Authorized Party (azp) would somehow fit into this flow.

Any extra info on this would be very helpful!

Thank you,

--Cal

_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Nat Sakimura | 13 Apr 11:52 2015
Picon

[OpenID] Visiting Kuching (May 2 to 12)

I wonder if there is any people in this list who is in Kuching, Malaysia. 
I am visiting there from May 2 to 12 for ISO/IEC JTC 1/SC 27 Meetings. 

If there can be any side-meeting or dinner during the period, it should be interesting. 

Best, 

Nat
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
Nat Sakimura | 8 Apr 16:53 2015
Picon

[OpenID] Vote to approve OpenID 2.0 to Connect Migration spec is closing in two days

Hi Everybody, 

The vote is going to be closed in two days. 

If you have not already voted, please do so now!


Cheers, 

Nat
---------- Forwarded message ----------
From: <help <at> oidf.org>
Date: 2015-03-20 22:03 GMT+09:00
Subject: [OpenID Foundation] New Poll Opened
To: sakimura <at> gmail.com


Hello Nat Sakimura,

Voting on the following poll opens today, March 20, 2015, at noon PDT. Please register your vote before noon PDT, April 9, 2015.

Link:
https://openid.net/foundation/members/polls/91

Title:
Vote to approve final OpenID 2.0 to OpenID Connect Migration 1.0 specification

Description:
The OpenID Connect Working Group recommends approval of the following specification as an OpenID Final Specification:
  •     OpenID 2.0 to OpenID Connect Migration 1.0 – Defines how to migrate from OpenID 2.0 to OpenID Connect – http://openid.net/specs/openid-connect-migration-1_0-08.html

A Final Specification provides intellectual property protections to implementers of the specification and is not subject to further revision.

The official voting period will be between Thursday, April 2nd and Thursday April 9, 2015.  For the convenience of members, voting will actually open on Friday, March 20th for members who have completed their reviews by then, with the voting period still ending on Thursday April 9, 2015.

If you’re not already a member, or if your membership has expired, please consider joining to participate in the approval vote.  Information on joining the OpenID Foundation can be found at https://openid.net/foundation/members/registration.

A description of OpenID Connect can be found at http://openid.net/connect/. The working group page is http://openid.net/wg/connect/.

-- Michael B. Jones, OpenID Foundation Secretary


Available Choices:
* Approve
* Object
* Abstain

Thank you for your participation!

---
The OpenID Foundation
http://openid.net/foundation/



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
<at> _nat_en
_______________________________________________
general mailing list
general <at> lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

Gmane