-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistent Subject Identifier Properties across Standards (voPersonID, OASIS subject-id, OIDC/OAuth sub) #17
Comments
To change from
|
AFAIR we introduced using the |
Its value (pairwise/public) depends on the Unless we agree that there will be no pairwise identifiers transmitted by We have already seen problems with services not being able to understand other claims, and others that eventhough they do understand other claims as identifiers, they cannot be configured to extract part of them (the first element). IMO using |
I still see several issues with That
In case 1) the infra proxy is just passing all the information unchanged onwards, it cannot change anything in the token (since it's not the issuer) so logically there is no infrastructure proxy (but see below under verification too). Concerning pairwise: in case 1) I can see how a pairwise could still be working (although it would be difficult to determine for the Community AAI which probably still sees all services as a single SP), in case 2) pairwise doesn't seem to make any sense: it's pairwise between community and infra, not beyond: whatever the infra proxy is passing on cannot be called a pairwise identifier. Verification: case 1) implies that end services that want to do verification via introspection & well-known metadata endpoints (standard pattern) they will end up at the community AAI unless the infra proxy implements proxied token introspection. If they want to do offline verification, all end-services must trust all community AAIs directly. Since the latter again implies that there is not really a separate infra proxy, I think case 1) requires support for proxied token introspection. Additionally, I'm still thinking that changing the content of the
|
From the (just-finished) call: |
|
Note that the JWT RFC allows for either local or globally unique:
We also need to consider the syntax limitations to align between OIDC/OAuth |
Current Proposals:I've tried to summarise the four different approaches discussed during the last architecture working group meetings: 1. Stick to
|
Comments on
|
I think everything beside 2 would be fine, since we do not "break" previous guidelines. I also assume that we have always the problem of users appearing in two different accounts by using different proxies in the chain, because it is always possible that anyone in the chain releases pairwise identifiers. |
Have we ever thought about connecting CAAI and IP via SAML. In this case there wouldn't be any |
The different approaches for expressing subject identifiers are depicted below: Key Points identified so far:
|
So that we don't forget, from our last meeting: I think we might want/need to make a difference between the community AAI and the infrastructure proxy (whether both are separately present is dependent on the details of the communities/infrastructures).
I think these two can exist perfectly fine in one AARC BPA? |
Here is an updated diagram that visualises the attribtue/claim release requirements for Identity Proxies/Community AAIs/Infra Proxies depending on the type of relying party they need to interact with. Base on this, AARC-compliant proxies need to be flexible, and I don't see how they can avoid modifying
|
In addition to your point bullet, two points: there might also be services that want yet another attribute (such as Fortunately the combination sub/iss should not be an issue for these situations since they are connected to a single proxy. |
Description
This issue highlights inconsistencies in subject identifier properties (multiplicity, case sensitivity, syntax) between voPersonID, OASIS subject-id, and OIDC/OAuth sub.
Subject Identifier Comparison
@
+ 64 ASCII for scopesubject-id
) & pairwise (pairwise-id
) attributesub
claimWe need to investigate if we can use an existing attribute/claim or if we need to define a new one. Using something standard like
sub
would be easy.See also RANDE proposal for introducing
gsub
claim: https://docs.google.com/document/d/1XH3pX4zU62S7VQ3JGTLDgSr4tb9vt6sDW0sgxD2Xi64/editRelated Issues
The text was updated successfully, but these errors were encountered: