OpenID Artifact Binding
Notes-taker: Breno de Medeiros
Tags: OpenID Artifact Extension
Idea: Send smaller payload through the browser (indirect communication).
Question: How to bind the token to the requester? Standard XSRF protection can be used to bind the request to the browser session at the RP. RP must sign requests to prevent artifact being stolen.
Statelessness: Can be achieved for identity select, some state required for claimed id. Allow artifact to be different in the request and the response to support statelessness.
Maximum length for artifacts should be specified.
Doing it through extensions—not possible, it requires changes to add signatures. Suggestion: Use two different keys to avoid reflection attacks.