<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Answers inline.<br>
<br>
On 8/25/2016 9:52 AM, Michael Furman wrote:<br>
<blockquote
cite="mid:AM5PR0701MB2530054A5953E0A27824AD36F4ED0@AM5PR0701MB2530.eurprd07.prod.outlook.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">Hi
Justin,<br>
<div>
<p class="MsoNormal">Thank you for your help!</p>
<p class="MsoNormal">I have couple of additional questions:</p>
<p class="MsoNormal">1) How is possible to establish the
static registration?<br>
I want to establish the trust without the UI (during the
installation of our products).<br>
<br>
</p>
</div>
</div>
</blockquote>
<br>
You can use dynamic (not static) client registration. <br>
<br>
<blockquote
cite="mid:AM5PR0701MB2530054A5953E0A27824AD36F4ED0@AM5PR0701MB2530.eurprd07.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>
<p class="MsoNormal">
2) I read in the specifications that ID Tokens MUST be
signed using JWS<span
style="font-size:12.0pt;line-height:115%;font-family:"Times
New Roman",serif;
mso-fareast-font-family:"Times New
Roman";mso-bidi-language:HE"> (</span><a
moz-do-not-send="true" id="LPlnk374944"
href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken">http://openid.net/specs/openid-connect-core-1_0.html#IDToken</a>)
and the Client MUST validate the signature of all other ID
Tokens according to JWS using the algorithm specified in the
JWT alg Header Parameter (<a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation">http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation</a>)</p>
<p class="MsoNormal">Should the RP get the public key of the
IDP?</p>
<p class="MsoNormal">How they exchange the public key?</p>
</div>
</div>
</blockquote>
<br>
Yes, the server publishes its key and the client needs to download
it and use that to validate the ID token. If you're using our client
library, all of that is handled in the filter automatically. <br>
<br>
-- Justin<br>
<blockquote
cite="mid:AM5PR0701MB2530054A5953E0A27824AD36F4ED0@AM5PR0701MB2530.eurprd07.prod.outlook.com"
type="cite">
<div id="divtagdefaultwrapper"
style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>
</div>
<br>
<div class="" style="margin-top:0px; margin-bottom:0px">Thank
you in advance for your help.</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">Best
regards,</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><span
class=""> <span class="Apple-converted-space"> </span></span>Michael</div>
<br>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
Justin Richer <a class="moz-txt-link-rfc2396E" href="mailto:jricher@mit.edu"><jricher@mit.edu></a><br>
<b>Sent:</b> Wednesday, August 24, 2016 8:56 PM<br>
<b>To:</b> Michael Furman<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:mitreid-connect@mit.edu">mitreid-connect@mit.edu</a><br>
<b>Subject:</b> Re: [mitreid-connect] How is enabled the
trust between an openID client and the mitreid-connect
server?</font>
<div> </div>
</div>
<div>By default, simple-web-app is set up to use dynamic
client registration:
<div class=""><br class="">
</div>
<div class=""><a moz-do-not-send="true" id="LPlnk19286"
href="https://tools.ietf.org/html/rfc7591" class="">https://tools.ietf.org/html/rfc7591</a></div>
<div class=""><br class="">
</div>
<div class="">The server generates an ID and secret and
hands them to the client as part of this protocol. This is
not using symmetric encryption or symmetric signatures.</div>
<div class=""><br class="">
</div>
<div class="">It is possible to use asymmetric signatures to
authenticate the client, but the client needs to register
its JWK value or JWK Set URI with the server to do so.</div>
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Aug 24, 2016, at 9:15 AM, Michael
Furman <<a moz-do-not-send="true"
href="mailto:michael_furman@hotmail.com" class="">michael_furman@hotmail.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div id="divtagdefaultwrapper" class=""
style="font-style:normal; font-weight:normal;
letter-spacing:normal; orphans:auto;
text-align:start; text-indent:0px;
text-transform:none; white-space:normal;
widows:auto; word-spacing:0px; font-size:12pt;
background-color:rgb(255,255,255);
font-family:Calibri,Arial,Helvetica,sans-serif">
<div class="">
<div class="" style="margin-top:0px;
margin-bottom:0px">Hi all,<br class="">
</div>
<div class="" style="margin-top:0px;
margin-bottom:0px">I have launched the
openid-connect-server-webapp server and the
demo client (simple-web-app).</div>
<div class="" style="margin-top:0px;
margin-bottom:0px"><br class="">
I see that during the dynamical registration
the client registered with the random client
secret (For the example<span
class="Apple-converted-space"> </span><br
class="">
JqnXxNQzuAIg1qR0EZXS3WKfdKmvcKowlrIMQ0E8bDXrjRJjZA5nSJTxAeGlAaKVNQ9Qv3zoEUzhYSJyLJeFHg)</div>
<p class="MsoNormal" style="margin-top:0px;
margin-bottom:0px"> </p>
<div class="" style="margin-top:0px;
margin-bottom:0px">1) How the secret passed
from the server to the client?</div>
<div class="" style="margin-top:0px;
margin-bottom:0px">2) According to my
understanding it is shared secret (i.e. the
symmetric encryption).</div>
<p class="MsoNormal" style="margin-top:0px;
margin-bottom:0px"> </p>
<div class="" style="margin-top:0px;
margin-bottom:0px">Is it possible to use the
asymmetric encryption to enable the trust
between the openID client and the<span
class="rphighlightallclass"><span
class="Apple-converted-space"> </span>mitreid-connect</span><span
class="Apple-converted-space"> </span>server?</div>
<p class="MsoNormal" style="margin-top:0px;
margin-bottom:0px"> </p>
<div class="" style="margin-top:0px;
margin-bottom:0px">Thank you in advance for
your help.</div>
<p class="MsoNormal" style="margin-top:0px;
margin-bottom:0px"> </p>
<div class="" style="margin-top:0px;
margin-bottom:0px">Best regards,</div>
<div class="" style="margin-top:0px;
margin-bottom:0px"><span class=""> <span
class="Apple-converted-space"> </span></span>Michael</div>
<p class="MsoNormal" style="margin-top:0px;
margin-bottom:0px"> </p>
</div>
<br class="">
</div>
<span class="" style="font-family:Helvetica;
font-size:12px; font-style:normal;
font-weight:normal; letter-spacing:normal;
orphans:auto; text-align:start; text-indent:0px;
text-transform:none; white-space:normal;
widows:auto; word-spacing:0px; float:none;
display:inline!important">_______________________________________________</span><br
class="" style="font-family:Helvetica;
font-size:12px; font-style:normal;
font-weight:normal; letter-spacing:normal;
orphans:auto; text-align:start; text-indent:0px;
text-transform:none; white-space:normal;
widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica;
font-size:12px; font-style:normal;
font-weight:normal; letter-spacing:normal;
orphans:auto; text-align:start; text-indent:0px;
text-transform:none; white-space:normal;
widows:auto; word-spacing:0px; float:none;
display:inline!important">mitreid-connect mailing
list</span><br class=""
style="font-family:Helvetica; font-size:12px;
font-style:normal; font-weight:normal;
letter-spacing:normal; orphans:auto;
text-align:start; text-indent:0px;
text-transform:none; white-space:normal;
widows:auto; word-spacing:0px">
<a moz-do-not-send="true"
href="mailto:mitreid-connect@mit.edu" class=""
style="font-family:Helvetica; font-size:12px;
font-style:normal; font-weight:normal;
letter-spacing:normal; orphans:auto;
text-align:start; text-indent:0px;
text-transform:none; white-space:normal;
widows:auto; word-spacing:0px">mitreid-connect@mit.edu</a><br
class="" style="font-family:Helvetica;
font-size:12px; font-style:normal;
font-weight:normal; letter-spacing:normal;
orphans:auto; text-align:start; text-indent:0px;
text-transform:none; white-space:normal;
widows:auto; word-spacing:0px">
<a moz-do-not-send="true"
href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect"
class="" style="font-family:Helvetica;
font-size:12px; font-style:normal;
font-weight:normal; letter-spacing:normal;
orphans:auto; text-align:start; text-indent:0px;
text-transform:none; white-space:normal;
widows:auto; word-spacing:0px">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>