oidc-op icon indicating copy to clipboard operation
oidc-op copied to clipboard
verified publisher icon IdentityPython

Pairwise ID relies on sector_identifier_uri in auth request

Open vladimir-mencl-eresearch opened this issue 3 years ago • 5 comments

Hi,

This is partly related to UniversitaDellaCalabria/SATOSA-oidcop#20 and UniversitaDellaCalabria/SATOSA-oidcop#21 (which give some more context).

When trying to use pairwise sub_type with oidcop, I was getting the same sub values for both public and pairwise types - and realised it was because sector_identifier being passed by create_grant to the sub functions was an empty string.

And I found it's populated with auth_req.get("sector_identifier_uri", "").

I managed to set it by explicitly including it as an extra parameter in the Authn request with:

OIDCAuthRequestParams sector_identifier_uri=client.example.org

... but this uncovers several issues:

  • generating pairwise IDs that are not really pairwise (if empty string is accepted as sector_identifier)
  • accepting arbitrary strings as sector_identifier from the client per each authn request
  • expecting the client to pass the sector_identifier_uri in each authn request (instead of solving it at registration time).

I believe this could be addressed by extending the interface of create_grant and create_session to also take a sector_identifier attribute - which would be populated from the client registration database available in the code making these calls (such as OidcOpFrontend).

Thanks a lot in advance for considering this.

Cheers, Vlad

vladimir-mencl-eresearch avatar Nov 03 '22 15:11 vladimir-mencl-eresearch

considering satosa-oidcop I'd suggest to continue working on this branch https://github.com/UniversitaDellaCalabria/SATOSA-oidcop/tree/idpy-oidc

and complete the migration to idpy-oidc

peppelinux avatar Nov 03 '22 21:11 peppelinux

Sorry, I may be lost in the different projects ... what is the difference between IdentityPython/oidc-op and IdentityPython/idpy-oidc ?

vladimir-mencl-eresearch avatar Nov 03 '22 21:11 vladimir-mencl-eresearch

IdentityPython/oidc-op is not mantained anymore, developers efforts are moved to idpy-oidc

satosa-oidcop has to switch to idpy-oidc I started, then a configuration refactoring stopped me, then I'm looking for contributors that can help development and confirms satosa-oidcop as a concrete community driven software (as it started from the begin!)

peppelinux avatar Nov 03 '22 21:11 peppelinux

Thanks!

So idpy-oidc is a rewrite of oidc-op - or a replacement that started as a new project?

And where does pyop fit into that picture?

Cheers, Vlad

vladimir-mencl-eresearch avatar Nov 03 '22 21:11 vladimir-mencl-eresearch

A rewrite

pyop Is dead

We Need you, please join in the Dev team!

peppelinux avatar Nov 04 '22 08:11 peppelinux