[mitreid-connect] How is enabled the trust between an openID client and the mitreid-connect server?
Michael Furman
michael_furman at hotmail.com
Thu Aug 25 09:52:29 EDT 2016
Hi Justin,
Thank you for your help!
I have couple of additional questions:
1) How is possible to establish the static registration?
I want to establish the trust without the UI (during the installation of our products).
2) I read in the specifications that ID Tokens MUST be signed using JWS (http://openid.net/specs/openid-connect-core-1_0.html#IDToken) and the Client MUST validate the signature of all other ID Tokens according to JWS using the algorithm specified in the JWT alg Header Parameter (http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation)
Should the RP get the public key of the IDP?
How they exchange the public key?
Thank you in advance for your help.
Best regards,
Michael
________________________________
From: Justin Richer <jricher at mit.edu>
Sent: Wednesday, August 24, 2016 8:56 PM
To: Michael Furman
Cc: mitreid-connect at mit.edu
Subject: Re: [mitreid-connect] How is enabled the trust between an openID client and the mitreid-connect server?
By default, simple-web-app is set up to use dynamic client registration:
https://tools.ietf.org/html/rfc7591
The server generates an ID and secret and hands them to the client as part of this protocol. This is not using symmetric encryption or symmetric signatures.
It is possible to use asymmetric signatures to authenticate the client, but the client needs to register its JWK value or JWK Set URI with the server to do so.
- Justin
On Aug 24, 2016, at 9:15 AM, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Hi all,
I have launched the openid-connect-server-webapp server and the demo client (simple-web-app).
I see that during the dynamical registration the client registered with the random client secret (For the example
JqnXxNQzuAIg1qR0EZXS3WKfdKmvcKowlrIMQ0E8bDXrjRJjZA5nSJTxAeGlAaKVNQ9Qv3zoEUzhYSJyLJeFHg)
1) How the secret passed from the server to the client?
2) According to my understanding it is shared secret (i.e. the symmetric encryption).
Is it possible to use the asymmetric encryption to enable the trust between the openID client and the mitreid-connect server?
Thank you in advance for your help.
Best regards,
Michael
_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
http://mailman.mit.edu/mailman/listinfo/mitreid-connect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160825/4779001a/attachment-0001.html
More information about the mitreid-connect
mailing list