[mitreid-connect] How is enabled the trust between an openID client and the mitreid-connect server?
Michael Furman
michael_furman at hotmail.com
Sun Aug 28 07:45:14 EDT 2016
Hi Justin,
Thank you!
We want to eliminate manual operations in UI during the installation.
Is it possible to perform the dynamic client registration and then to approve it via API (by the installation script)?
If not - what is the best way to perform the static client registration?
How RP gets get the public key of the IDP in case of the static client registration?
Best regards,
Michael
________________________________
From: Justin Richer <jricher at mit.edu>
Sent: Thursday, August 25, 2016 5:31 PM
To: Michael Furman; mitreid-connect at mit.edu
Subject: Re: [mitreid-connect] How is enabled the trust between an openID client and the mitreid-connect server?
Answers inline.
On 8/25/2016 9:52 AM, Michael Furman wrote:
Hi Justin,
Thank you for your help!
I have couple of additional questions:
1) How is possible to establish the static registration?
I want to establish the trust without the UI (during the installation of our products).
You can use dynamic (not static) client registration.
2) I read in the specifications that ID Tokens MUST be signed using JWS (http://openid.net/specs/openid-connect-core-1_0.html#IDToken) and the Client MUST validate the signature of all other ID Tokens according to JWS using the algorithm specified in the JWT alg Header Parameter (http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation)
Should the RP get the public key of the IDP?
How they exchange the public key?
Yes, the server publishes its key and the client needs to download it and use that to validate the ID token. If you're using our client library, all of that is handled in the filter automatically.
-- Justin
Thank you in advance for your help.
Best regards,
Michael
________________________________
From: Justin Richer <jricher at mit.edu><mailto:jricher at mit.edu>
Sent: Wednesday, August 24, 2016 8:56 PM
To: Michael Furman
Cc: mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
Subject: Re: [mitreid-connect] How is enabled the trust between an openID client and the mitreid-connect server?
By default, simple-web-app is set up to use dynamic client registration:
https://tools.ietf.org/html/rfc7591
The server generates an ID and secret and hands them to the client as part of this protocol. This is not using symmetric encryption or symmetric signatures.
It is possible to use asymmetric signatures to authenticate the client, but the client needs to register its JWK value or JWK Set URI with the server to do so.
- Justin
On Aug 24, 2016, at 9:15 AM, Michael Furman <michael_furman at hotmail.com<mailto:michael_furman at hotmail.com>> wrote:
Hi all,
I have launched the openid-connect-server-webapp server and the demo client (simple-web-app).
I see that during the dynamical registration the client registered with the random client secret (For the example
JqnXxNQzuAIg1qR0EZXS3WKfdKmvcKowlrIMQ0E8bDXrjRJjZA5nSJTxAeGlAaKVNQ9Qv3zoEUzhYSJyLJeFHg)
1) How the secret passed from the server to the client?
2) According to my understanding it is shared secret (i.e. the symmetric encryption).
Is it possible to use the asymmetric encryption to enable the trust between the openID client and the mitreid-connect server?
Thank you in advance for your help.
Best regards,
Michael
_______________________________________________
mitreid-connect mailing list
mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
http://mailman.mit.edu/mailman/listinfo/mitreid-connect
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160828/6ccc6df3/attachment.html
More information about the mitreid-connect
mailing list