Dear Jim, others, as discussed during the AARC meeting, here's some high-level comments on the document. 1) I would try to focuss on the MyProxy specific features. Currently a large part of the document is redescribing the standard OpenID-Connect specification/architecture which distracts. 2) As I suggested, it would be good to use the information retrieved from the userinfo endpoint to put in the CSR. As you mentioned, this gives an extra check for binding the token with the user. 3) Also I would probably demand some form of client auth (e.g. the client_secret) for the /userinfo endpoint. This is one of the things I don't like so much in the OpenID Connect spec, it leaves this auth too much open (and so does google): if someone intercepts the access token, (s)he can get all the /userinfo information. By preventing that, point 2) becomes much stronger. Personally I would have liked if OIC would use (also) the ID Token for that, since it can contain audience and authorized party restrictions, but the spec doesn't seem to want you to do that... Perhaps I don't understand the ID Token rationale sufficiently yet. 4) Likewise, doing a GET /userinfo request with an access_token in the URL is IMHO a bad idea as the token ends up in logfiles and/or leak in other ways (this is the second example at the UserInfo Request). I don't think the OIC spec mentions this, but RFC6750 mentions it in section 5.3 (last point). 5) You give an example of a /getcert request passing the CSR via a GET request in the URL. That will give problems on certain platforms due to maximum length of URLs. I would make it a POST. I think that's most of it for now... Best wishes, Mischa Sallé On Wed, Dec 31, 2014 at 11:22:39PM +0000, Sill, Alan wrote:
Dear IDEL-WG and FedSec-CG folks,
Thought you would be interested in the following link. Please consider reading and commenting on this ongoing work by Jim Basney, Jeff Gaynor and Wendy Edwards.
For further details, please see the message at the second link below.
Topic: OpenID Connect for MyProxy Protocol Specification Version 0.2 (Dec 2014 - IN PROGRESS) Jim Basney <jbasney@illinois.edu> Jeff Gaynor <gaynor@illinois.edu> Wendy Edwards <wedwards@illinois.edu>
Link: http://goo.gl/VnMKXS
Further information: https://www.ogf.org/pipermail/idel-wg/2013-September/000011.html
Alan
P.S.: Happy new year!
_______________________________________________ Idel-wg mailing list Idel-wg@ogf.org https://www.ogf.org/mailman/listinfo/idel-wg
-- Nikhef Room H155 Science Park 105 Tel. +31-20-592 5102 1098 XG Amsterdam Fax +31-20-592 5155 The Netherlands Email msalle@nikhef.nl __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..