slight tweak to default treatment of https URLs #468
Conversation
unambiguously defines the plain https Client Identifier URLs as a fallback to mean OpenID Federation
as per joseph's suggestion
There was a problem hiding this comment.
i am not comfortable with keeping https to be reserved only for openid federation. what I said in #401 (comment)
|
|
||
| For example, if an Authorization Request contains `client_id=example-client`, the Wallet would interpret the Client Identifier as referring to a pre-registered client. | ||
|
|
||
| If the Client Identifier begins with `https://` the full Client Identifier URL represents an Entity Identifier defined in OpenID Federation [@!OpenID.Federation] and MUST be processed as though it was prefixed with `openid_federation` as described below. |
There was a problem hiding this comment.
I personally don't have an issue with OpenID4VP defining the default behavior of https URLs as long as it's defined only within the context of OpenID4VP and doesn't spill out to unrelated communities and ecosystems.
if this is the case, it must be much more explicit that this https:// behavior is only for openid4vp context
There was a problem hiding this comment.
Aaron's intent is to make it not ambiguous that within the context of openid4vp, https client_id_scheme is federation.
Brian's PR says, if there is no prefix, the wallet implementation picks the default. so this PR clarifies, when the url does not have a prefix, default is openidfederation.
|
I got a request for a rendered version of this PR so uploaded html that would result from this PR here in case it's useful to others: |
selfissued
left a comment
selfissued
left a comment
There was a problem hiding this comment.
This improves the PR that it would be merged into by removing the breaking change.
| * `x509_hash`: When the Client Identifier Scheme is `x509_hash`, the Client Identifier MUST be a hash and match the hash of the leaf certificate passed with the request. The request MUST be signed with the private key corresponding to the public key in the leaf X.509 certificate of the certificate chain added to the request in the `x5c` JOSE header parameter [@!RFC7515] of the signed request object. The value of `x509_hash` is the base64url encoded value of the SHA-256 hash of the DER-encoded X.509 certificate. The Wallet MUST validate the signature and the trust chain of the X.509 leaf certificate. All verifier metadata other than the public key MUST be obtained from the `client_metadata` parameter. Example Client Identifier: `x509_hash:Uvo3HtuIxuhC92rShpgqcT3YXwrqRxWEviRiA0OZszk` | ||
|
|
||
| To use the Client Identifier Schemes `https`, `did`, `verifier_attestation`, `x509_san_dns` and `x509_hash`, Verifiers MUST be confidential clients. This might require changes to the technical design of native apps as such apps are typically public clients. | ||
| * `openid_federation`: This value indicates that the Client Identifier is an Entity Identifier defined in OpenID Federation [@!OpenID.Federation]. Processing rules given in [@!OpenID.Federation] MUST be followed. Automatic Registration as defined in [@!OpenID.Federation] MUST be used. The Authorization Request MAY also contain a `trust_chain` parameter. The final Verifier metadata is obtained from the Trust Chain after applying the policies, according to [@!OpenID.Federation]. The `client_metadata` parameter, if present in the Authorization Request, MUST be ignored when this Client Identifier scheme is used. Example Client Identifier: `openid_federation:https://federation-verifier.example.com`. |
There was a problem hiding this comment.
We would need to add here (without the openid_federation: prefix) like in case of the redirect_uri
|
WG discussion:
|
|
chair hat off, we should also define behavior when client_id does not have a prefix, and does not happen to start with https:// |
|
Just for info for readers: there is some overlap with the federation spec owned connect wg here, and this is scheduled to be discussed on Thursday's Connect WG call, we're trying to the best of our ability to have alignment between Connect, DCP & OAuth working groups. |
There's text here (which I think has been there a while): in particular:
Do you think this needs any change? |
|
i listened to the discussion and it seems strange to have two ways of being able to utilize openid federation. What are the consequences?
|
Co-authored-by: Michael B. Jones <michael_b_jones@hotmail.com>
| For example, if an Authorization Request contains `client_id=example-client`, the Wallet would interpret the Client Identifier as referring to a pre-registered client. | ||
|
|
||
| If the Client Identifier begins with `https://` the full Client Identifier URL represents an Entity Identifier defined in OpenID Federation [@!OpenID.Federation] and MUST be processed as though it was prefixed with `openid_federation` as described below. | ||
| Note that like all requirements in this specification, this requirement only applies when using this specification. |
There was a problem hiding this comment.
this new sentence is a tautology
|
please re-review PR #401 in light of new understanding in DCP WG that is documented in #401 (comment) |
bc-pi
left a comment
bc-pi
left a comment
There was a problem hiding this comment.
the underlying openid:equal-treatment-under-the-prefix branch and open PR #401 against which this one was created no longer has default so this has effectively been overcome by events
|
I don't think this PR is necessary anymore since the changes to #401, as has been discussed in the WG call and in the issue comments. |
7 participants
unambiguously defines the plain https Client Identifier URLs as a fallback to mean OpenID Federation
This is a PR against the open PR #401
Context of this PR is documented in #401 (comment)