[prev in list] [next in list] [prev in thread] [next in thread]
List: openid-general
Subject: Re: [OpenID] discovery url vs issuer
From: <home_pw () msn ! com>
Date: 2016-01-28 14:28:32
Message-ID: BAY404-EAS237B1964B5A42B7FA6D220292DA0 () phx ! gbl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Dont forget the azure openid with shibolleth hookup option. Ie cloud hosted protocol \
conversion/integration. Properly supported option.shib has to be setup a particular \
way.
Used to add openid to all the us schools who were induced to adopt shib but we're \
denied openid (by the somewhat religious shib technical community).
For us viewers, clouds like azure and amazon add assurances, like sending log files \
to nsa for cyberattack profiling etc. The crypto may be in fips hardware, etc. The \
data center is audited and hardware is fault tolerant.
these kind of assurances not be matters that realty security cares about, being \
unable to afford a dollar a user a month to pay for it.
What is inteteresting now is the like of Google now cards, app launching, cross app \
sso launching (for example: my chevy app launches on star app, launches my apple \
carplay app suite and the google now search app (with cards and consumer login) \
nicely leverages sso with openid and account linking (eg see azure b2c variant of \
openid) to ensure the other apps continue to use their own tokens/membership while \
getting integrated, location aware app launching
Openid is really blossoming now, having found a way to really add value ..bridging \
old Web with cross vendor phone apps.
Sent from Outlook Mobile
On Thu, Jan 28, 2016 at 5:35 AM -0800, "Paul Hethmon" \
<paul.hethmon@clareitysecurity.com> wrote:
John,
Thanks for the information.
> On Jan 27, 2016, at 9:29 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
> I suspect that you are going to be better off with the interop testing list.
>
> Information on testing and subscribing to the list are at this link.
>
> http://osis.idcommons.net/wiki/OC5:OpenID_Connect_Interop_5
I will get signed up and involved there, hadn't found that one.
>
> To answer the question, yes they must all match. The value of issuer is the uri \
> before appending /.well-known/openid-configuration to the issuer per sec 4 of \
> discovery.
There's the section I missed. Section 4 is very clear.
>
> The value returned by the webfinger element with the rel member value of \
> http://openid.net/specs/connect/1.0/issuer is the issuer identifier and not the \
> location of the meta-data.
> That is in Sec 2 of Discovery.
>
> Perhaps in a future errata we might add a note to make that clearer in Sec 2.
A note with a pointer to see Sec 4 would be helpful.
>
> You are now going to ask why the whole string for the meta-data location is not \
> used as the issuer.
> We did debate that at teh time and the answer is size.
Fair enough.
I've read (and written) enough specs to know better than to stop reading, but in the \
rush to get things out the door, there's a tendency to stop reading once you believe \
you have the answer.
thanks,
Paul
-----
Paul Hethmon
Chief Software Architect
paul.hethmon@clareitysecurity.com
_______________________________________________
general mailing list
general@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
[Attachment #5 (unknown)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<p dir="ltr">Dont forget the azure openid with shibolleth hookup option. Ie cloud \
hosted protocol conversion/integration. Properly supported option.shib has to be \
setup a particular way.</p> <p dir="ltr">Used to add openid to all the us schools who \
were induced to adopt shib but we're denied openid (by the somewhat religious shib \
technical community).</p> <p dir="ltr">For us viewers, clouds like azure and amazon \
add assurances, like sending log files to nsa for cyberattack profiling etc. The \
crypto may be in fips hardware, etc. The data center is audited and hardware is fault \
tolerant.</p> <p dir="ltr">these kind of assurances not be matters that realty \
security cares about, being unable to afford a dollar a user a month to pay for \
it.</p> <p dir="ltr">What is inteteresting now is the like of Google now cards, app \
launching, cross app sso launching (for example: my chevy app launches on star \
app, launches my apple carplay app suite and the google now search app (with cards \
and consumer login) nicely leverages sso with openid and account linking (eg see \
azure b2c variant of openid) to ensure the other apps continue to use their own \
tokens/membership while getting integrated, location aware app launching</p> <p \
dir="ltr">Openid is really blossoming now, having found a way to really add value \
..bridging old Web with cross vendor phone apps.</p> <p dir="ltr">Sent from <a \
href="https://aka.ms/blhgte">Outlook Mobile</a></p> <br>
<br>
<br>
<div class="gmail_quote">On Thu, Jan 28, 2016 at 5:35 AM -0800, "Paul \
Hethmon" <span dir="ltr"> <<a href="mailto:paul.hethmon@clareitysecurity.com" \
target="_blank">paul.hethmon@clareitysecurity.com</a>></span> wrote:<br> <br>
</div>
<div class="BodyFragment">
<div class="PlainText">John,<br>
<br>
Thanks for the information.<br>
<br>
> On Jan 27, 2016, at 9:29 PM, John Bradley <ve7jtb@ve7jtb.com> wrote:<br>
> <br>
> I suspect that you are going to be better off with the interop testing list. \
<br> > <br>
> Information on testing and subscribing to the list are at this link.<br>
> <br>
> <a href="http://osis.idcommons.net/wiki/OC5:OpenID_Connect_Interop_5">http://osis.idcommons.net/wiki/OC5:OpenID_Connect_Interop_5</a><br>
<br>
I will get signed up and involved there, hadn't found that one.<br>
<br>
> <br>
> To answer the question, yes they must all match. The value of issuer \
is the uri before appending /.well-known/openid-configuration to the issuer per sec 4 \
of discovery.<br> <br>
There's the section I missed. Section 4 is very clear.<br>
<br>
> <br>
> The value returned by the webfinger element with the rel member value of <a \
href="http://openid.net/specs/connect/1.0/issuer"> \
http://openid.net/specs/connect/1.0/issuer</a> is the issuer identifier and not the \
location of the meta-data.<br> > <br>
> That is in Sec 2 of Discovery. <br>
> <br>
> Perhaps in a future errata we might add a note to make that clearer in Sec \
2.<br> <br>
A note with a pointer to see Sec 4 would be helpful.<br>
<br>
> <br>
> You are now going to ask why the whole string for the meta-data location is not \
used as the issuer.<br> > <br>
> We did debate that at teh time and the answer is size.<br>
<br>
Fair enough.<br>
<br>
I've read (and written) enough specs to know better than to stop reading, but in the \
rush to get things out the door, there's a tendency to stop reading once you believe \
you have the answer.<br> <br>
thanks,<br>
<br>
Paul<br>
<br>
-----<br>
Paul Hethmon<br>
Chief Software Architect<br>
paul.hethmon@clareitysecurity.com<br>
<br>
<br>
_______________________________________________<br>
general mailing list<br>
general@lists.openid.net<br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
</div>
</div>
</body>
</html>
_______________________________________________
general mailing list
general@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic