[Idel-wg] OIDC/OA4MP Specification v0.2 - please read and comment

Mischa Salle msalle at nikhef.nl
Fri Jun 5 11:22:35 EDT 2015 

Dear Jim, others,

as discussed during the AARC meeting, here's some high-level comments on
the document.

1) I would try to focuss on the MyProxy specific features. Currently a
   large part of the document is redescribing the standard
   OpenID-Connect specification/architecture which distracts.

2) As I suggested, it would be good to use the information retrieved from
   the userinfo endpoint to put in the CSR. As you mentioned, this gives
   an extra check for binding the token with the user.

3) Also I would probably demand some form of client auth (e.g. the
   client_secret) for the /userinfo endpoint. This is one of the things
   I don't like so much in the OpenID Connect spec, it leaves this auth
   too much open (and so does google): if someone intercepts the access
   token, (s)he can get all the /userinfo information. By preventing
   that, point 2) becomes much stronger.
   Personally I would have liked if OIC would use (also) the ID Token
   for that, since it can contain audience and authorized party
   restrictions, but the spec doesn't seem to want you to do that...
   Perhaps I don't understand the ID Token rationale sufficiently yet.

4) Likewise, doing a GET /userinfo request with an access_token in the
   URL is IMHO a bad idea as the token ends up in logfiles and/or leak
   in other ways (this is the second example at the UserInfo Request).
   I don't think the OIC spec mentions this, but RFC6750 mentions it in
   section 5.3 (last point).

5) You give an example of a /getcert request passing the CSR via a GET
   request in the URL. That will give problems on certain platforms due
   to maximum length of URLs. I would make it a POST.

I think that's most of it for now...

Best wishes,
Mischa Sallé

On Wed, Dec 31, 2014 at 11:22:39PM +0000, Sill, Alan wrote:
> Dear IDEL-WG and FedSec-CG folks,
> 
> Thought you would be interested in the following link. Please consider reading and commenting on this ongoing work by Jim Basney, Jeff Gaynor and Wendy Edwards.
> 
> For further details, please see the message at the second link below.
> 
> Topic:
> OpenID Connect for MyProxy Protocol Specification
> Version 0.2 (Dec 2014 - IN PROGRESS)
> Jim Basney <jbasney at illinois.edu>
> Jeff Gaynor <gaynor at illinois.edu>
> Wendy Edwards <wedwards at illinois.edu>
> 
> Link:
> http://goo.gl/VnMKXS 
> 
> Further information:
> https://www.ogf.org/pipermail/idel-wg/2013-September/000011.html
> 
> Alan
> 
> P.S.: Happy new year!
> 
> _______________________________________________
> Idel-wg mailing list
> Idel-wg at ogf.org
> https://www.ogf.org/mailman/listinfo/idel-wg

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4332 bytes
Desc: not available
URL: <http://www.ogf.org/pipermail/idel-wg/attachments/20150605/199c3eab/attachment.bin>

More information about the Idel-wg mailing list