[Fedsec-cg] [Idel-wg] OIDC/OA4MP Specification v0.2 - please read and comment
Mischa Salle
msalle at nikhef.nl
Fri Jun 5 11:22:35 EDT 2015
Dear Jim, others,
as discussed during the AARC meeting, here's some high-level comments on
the document.
1) I would try to focuss on the MyProxy specific features. Currently a
large part of the document is redescribing the standard
OpenID-Connect specification/architecture which distracts.
2) As I suggested, it would be good to use the information retrieved from
the userinfo endpoint to put in the CSR. As you mentioned, this gives
an extra check for binding the token with the user.
3) Also I would probably demand some form of client auth (e.g. the
client_secret) for the /userinfo endpoint. This is one of the things
I don't like so much in the OpenID Connect spec, it leaves this auth
too much open (and so does google): if someone intercepts the access
token, (s)he can get all the /userinfo information. By preventing
that, point 2) becomes much stronger.
Personally I would have liked if OIC would use (also) the ID Token
for that, since it can contain audience and authorized party
restrictions, but the spec doesn't seem to want you to do that...
Perhaps I don't understand the ID Token rationale sufficiently yet.
4) Likewise, doing a GET /userinfo request with an access_token in the
URL is IMHO a bad idea as the token ends up in logfiles and/or leak
in other ways (this is the second example at the UserInfo Request).
I don't think the OIC spec mentions this, but RFC6750 mentions it in
section 5.3 (last point).
5) You give an example of a /getcert request passing the CSR via a GET
request in the URL. That will give problems on certain platforms due
to maximum length of URLs. I would make it a POST.
I think that's most of it for now...
Best wishes,
Mischa Sallé
On Wed, Dec 31, 2014 at 11:22:39PM +0000, Sill, Alan wrote:
> Dear IDEL-WG and FedSec-CG folks,
>
> Thought you would be interested in the following link. Please consider reading and commenting on this ongoing work by Jim Basney, Jeff Gaynor and Wendy Edwards.
>
> For further details, please see the message at the second link below.
>
> Topic:
> OpenID Connect for MyProxy Protocol Specification
> Version 0.2 (Dec 2014 - IN PROGRESS)
> Jim Basney <jbasney at illinois.edu>
> Jeff Gaynor <gaynor at illinois.edu>
> Wendy Edwards <wedwards at illinois.edu>
>
> Link:
> http://goo.gl/VnMKXS
>
> Further information:
> https://www.ogf.org/pipermail/idel-wg/2013-September/000011.html
>
> Alan
>
> P.S.: Happy new year!
>
> _______________________________________________
> Idel-wg mailing list
> Idel-wg at ogf.org
> https://www.ogf.org/mailman/listinfo/idel-wg
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email msalle at nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4332 bytes
Desc: not available
URL: <http://www.ogf.org/pipermail/fedsec-cg/attachments/20150605/199c3eab/attachment.bin>
More information about the Fedsec-cg
mailing list