Skip to content
This repository has been archived by the owner on Jun 23, 2023. It is now read-only.

Pairwise ID relies on sector_identifier_uri in auth request #206

Open
vladimir-mencl-eresearch opened this issue Nov 3, 2022 · 5 comments
Open

Pairwise ID relies on sector_identifier_uri in auth request #206

vladimir-mencl-eresearch opened this issue Nov 3, 2022 · 5 comments

Comments

@vladimir-mencl-eresearch
Copy link

Hi,

This is partly related to UniversitaDellaCalabria/SATOSA-oidcop#20 and UniversitaDellaCalabria/SATOSA-oidcop#21 (which give some more context).

When trying to use pairwise sub_type with oidcop, I was getting the same sub values for both public and pairwise types - and realised it was because sector_identifier being passed by create_grant to the sub functions was an empty string.

And I found it's populated with auth_req.get("sector_identifier_uri", "").

I managed to set it by explicitly including it as an extra parameter in the Authn request with:

OIDCAuthRequestParams sector_identifier_uri=client.example.org

... but this uncovers several issues:

  • generating pairwise IDs that are not really pairwise (if empty string is accepted as sector_identifier)
  • accepting arbitrary strings as sector_identifier from the client per each authn request
  • expecting the client to pass the sector_identifier_uri in each authn request (instead of solving it at registration time).

I believe this could be addressed by extending the interface of create_grant and create_session to also take a sector_identifier attribute - which would be populated from the client registration database available in the code making these calls (such as OidcOpFrontend).

Thanks a lot in advance for considering this.

Cheers,
Vlad
Closed
@peppelinux
Copy link
Member

considering satosa-oidcop I'd suggest to continue working on this branch https://github.com/UniversitaDellaCalabria/SATOSA-oidcop/tree/idpy-oidc

and complete the migration to idpy-oidc

@vladimir-mencl-eresearch
Copy link
Author

Sorry, I may be lost in the different projects ... what is the difference between IdentityPython/oidc-op and IdentityPython/idpy-oidc ?

@peppelinux
Copy link
Member

IdentityPython/oidc-op is not mantained anymore, developers efforts are moved to idpy-oidc

satosa-oidcop has to switch to idpy-oidc
I started, then a configuration refactoring stopped me, then I'm looking for contributors that can help development and confirms satosa-oidcop as a concrete community driven software (as it started from the begin!)

@vladimir-mencl-eresearch
Copy link
Author

Thanks!

So idpy-oidc is a rewrite of oidc-op - or a replacement that started as a new project?

And where does pyop fit into that picture?

Cheers,
Vlad

@peppelinux
Copy link
Member

A rewrite

pyop Is dead

We Need you, please join in the Dev team!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vladimir-mencl-eresearch @peppelinux