[mitreid-connect] How is enabled the trust between an openID client and the mitreid-connect server?

Justin Richer jricher at mit.edu
Thu Aug 25 10:31:53 EDT 2016


Answers inline.

On 8/25/2016 9:52 AM, Michael Furman wrote:
> Hi Justin,
>
> Thank you for your help!
>
> I have couple of additional questions:
>
> 1) How is possible to establish the static registration?
> I want to establish the trust without the UI (during the installation 
> of our products).
>

You can use dynamic (not static) client registration.

> 2) I read in the specifications that ID Tokens MUST be signed using 
> JWS(http://openid.net/specs/openid-connect-core-1_0.html#IDToken) and 
> the Client MUST validate the signature of all other ID Tokens 
> according to JWS using the algorithm specified in the JWT alg Header 
> Parameter 
> (http://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation)
>
> Should the RP get the public key of the IDP?
>
> How they exchange the public key?
>

Yes, the server publishes its key and the client needs to download it 
and use that to validate the ID token. If you're using our client 
library, all of that is handled in the filter automatically.

  -- Justin
>
> Thank you in advance for your help.
>
> Best regards,
> Michael
>
> ------------------------------------------------------------------------
> *From:* Justin Richer <jricher at mit.edu>
> *Sent:* Wednesday, August 24, 2016 8:56 PM
> *To:* Michael Furman
> *Cc:* mitreid-connect at mit.edu
> *Subject:* Re: [mitreid-connect] How is enabled the trust between an 
> openID client and the mitreid-connect server?
> By default, simple-web-app is set up to use dynamic client registration:
>
> https://tools.ietf.org/html/rfc7591
>
> The server generates an ID and secret and hands them to the client as 
> part of this protocol. This is not using symmetric encryption or 
> symmetric signatures.
>
> It is possible to use asymmetric signatures to authenticate the 
> client, but the client needs to register its JWK value or JWK Set URI 
> with the server to do so.
>
>  — Justin
>
>> On Aug 24, 2016, at 9:15 AM, Michael Furman 
>> <michael_furman at hotmail.com <mailto:michael_furman at hotmail.com>> wrote:
>>
>> Hi all,
>> I have launched the openid-connect-server-webapp server and the demo 
>> client (simple-web-app).
>>
>> I see that during the dynamical registration the client registered 
>> with the random client secret (For the example
>> JqnXxNQzuAIg1qR0EZXS3WKfdKmvcKowlrIMQ0E8bDXrjRJjZA5nSJTxAeGlAaKVNQ9Qv3zoEUzhYSJyLJeFHg)
>>
>> 1) How the secret passed from the server to the client?
>> 2) According to my understanding it is shared secret (i.e. the 
>> symmetric encryption).
>>
>> Is it possible to use the asymmetric encryption to enable the trust 
>> between the openID client and themitreid-connectserver?
>>
>> Thank you in advance for your help.
>>
>> Best regards,
>> Michael
>>
>>
>> _______________________________________________
>> mitreid-connect mailing list
>> mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20160825/acd846e9/attachment.html


More information about the mitreid-connect mailing list