<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;background-color:#FFFFFF;font-family:Calibri,Arial,Helvetica,sans-serif;">
<div>
<p class="MsoNormal">Hi Justin,<br>
Thank you!</p>
<p class="MsoNormal">We want to eliminate manual operations in UI during the installation.</p>
<p class="MsoNormal">Is it possible to perform the dynamic client registration and then to approve it via API (by the installation script)?</p>
<p class="MsoNormal">If not – what is the best way to perform the static client registration?</p>
<p class="MsoNormal">How RP gets get the public key of the IDP in case of the static client registration?</p>
<p class="MsoNormal">Best regards,</p>
<p class="MsoNormal"><span style="mso-spacerun:yes"> </span>Michael</p>
</div>
<br>
<div style="color: rgb(0, 0, 0);">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b>From:</b> Justin Richer <jricher@mit.edu><br>
<b>Sent:</b> Thursday, August 25, 2016 5:31 PM<br>
<b>To:</b> Michael Furman; mitreid-connect@mit.edu<br>
<b>Subject:</b> Re: [mitreid-connect] How is enabled the trust between an openID client and the mitreid-connect server?</font>
<div> </div>
</div>
<div>Answers inline.<br>
<br>
On 8/25/2016 9:52 AM, Michael Furman wrote:<br>
<blockquote type="cite">
<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
Hi Justin,<br>
<div>
<p class="MsoNormal">Thank you for your help!</p>
<p class="MsoNormal">I have couple of additional questions:</p>
<p class="MsoNormal">1) How is possible to establish the static registration?<br>
I want to establish the trust without the UI (during the installation of our products).<br>
<br>
</p>
</div>
</div>
</blockquote>
<br>
You can use dynamic (not static) client registration. <br>
<br>
<blockquote type="cite">
<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<div>
<p class="MsoNormal">2) I read in the specifications that ID Tokens MUST be signed using JWS<span style=""> (</span><a id="LPlnk374944" href="http://openid.net/specs/openid-connect-core-1_0.html#IDToken">http://openid.net/specs/openid-connect-core-1_0.html#IDToken</a>)
and the Client MUST validate the signature of all other ID Tokens according to JWS using the algorithm specified in the JWT alg Header Parameter (<a href="http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation">http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation</a>)</p>
<p class="MsoNormal">Should the RP get the public key of the IDP?</p>
<p class="MsoNormal">How they exchange the public key?</p>
</div>
</div>
</blockquote>
<br>
Yes, the server publishes its key and the client needs to download it and use that to validate the ID token. If you're using our client library, all of that is handled in the filter automatically.
<br>
<br>
-- Justin<br>
<blockquote type="cite">
<div id="divtagdefaultwrapper" style="font-size:12pt; color:#000000; background-color:#FFFFFF; font-family:Calibri,Arial,Helvetica,sans-serif">
<div></div>
<br>
<div class="" style="margin-top:0px; margin-bottom:0px">Thank you in advance for your help.</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">Best regards,</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><span class=""> <span class="Apple-converted-space"> </span></span>Michael</div>
<br>
<div style="color:rgb(0,0,0)">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt" color="#000000" face="Calibri, sans-serif"><b>From:</b> Justin Richer
<a class="moz-txt-link-rfc2396E" href="mailto:jricher@mit.edu"><jricher@mit.edu></a><br>
<b>Sent:</b> Wednesday, August 24, 2016 8:56 PM<br>
<b>To:</b> Michael Furman<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:mitreid-connect@mit.edu">
mitreid-connect@mit.edu</a><br>
<b>Subject:</b> Re: [mitreid-connect] How is enabled the trust between an openID client and the mitreid-connect server?</font>
<div> </div>
</div>
<div>By default, simple-web-app is set up to use dynamic client registration:
<div class=""><br class="">
</div>
<div class=""><a id="LPlnk19286" href="https://tools.ietf.org/html/rfc7591" class="">https://tools.ietf.org/html/rfc7591</a></div>
<div class=""><br class="">
</div>
<div class="">The server generates an ID and secret and hands them to the client as part of this protocol. This is not using symmetric encryption or symmetric signatures.</div>
<div class=""><br class="">
</div>
<div class="">It is possible to use asymmetric signatures to authenticate the client, but the client needs to register its JWK value or JWK Set URI with the server to do so.</div>
<div class=""><br class="">
</div>
<div class=""> — Justin</div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Aug 24, 2016, at 9:15 AM, Michael Furman <<a href="mailto:michael_furman@hotmail.com" class="">michael_furman@hotmail.com</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div id="divtagdefaultwrapper" class="" style="font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; font-size:12pt; background-color:rgb(255,255,255); font-family:Calibri,Arial,Helvetica,sans-serif">
<div class="">
<div class="" style="margin-top:0px; margin-bottom:0px">Hi all,<br class="">
</div>
<div class="" style="margin-top:0px; margin-bottom:0px">I have launched the openid-connect-server-webapp server and the demo client (simple-web-app).</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><br class="">
I see that during the dynamical registration the client registered with the random client secret (For the example<span class="Apple-converted-space"> </span><br class="">
JqnXxNQzuAIg1qR0EZXS3WKfdKmvcKowlrIMQ0E8bDXrjRJjZA5nSJTxAeGlAaKVNQ9Qv3zoEUzhYSJyLJeFHg)</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">1) How the secret passed from the server to the client?</div>
<div class="" style="margin-top:0px; margin-bottom:0px">2) According to my understanding it is shared secret (i.e. the symmetric encryption).</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">Is it possible to use the asymmetric encryption to enable the trust between the openID client and the<span class="rphighlightallclass"><span class="Apple-converted-space"> </span>mitreid-connect</span><span class="Apple-converted-space"> </span>server?</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">Thank you in advance for your help.</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
<div class="" style="margin-top:0px; margin-bottom:0px">Best regards,</div>
<div class="" style="margin-top:0px; margin-bottom:0px"><span class=""> <span class="Apple-converted-space"> </span></span>Michael</div>
<p class="MsoNormal" style="margin-top:0px; margin-bottom:0px"> </p>
</div>
<br class="">
</div>
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">_______________________________________________</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<span class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px; float:none; display:inline!important">mitreid-connect
mailing list</span><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<a href="mailto:mitreid-connect@mit.edu" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">mitreid-connect@mit.edu</a><br class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">
<a href="http://mailman.mit.edu/mailman/listinfo/mitreid-connect" class="" style="font-family:Helvetica; font-size:12px; font-style:normal; font-weight:normal; letter-spacing:normal; orphans:auto; text-align:start; text-indent:0px; text-transform:none; white-space:normal; widows:auto; word-spacing:0px">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</a></div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</body>
</html>