Difference between revisions of "OpenID Artifact Binding"

From IIW
Jump to: navigation, search
(Undo revision 3073 by Igiwydijok (Talk))
Line 1: Line 1:
=[http://osobageqys.co.cc This Page Is Currently Under Construction And Will Be Available Shortly, Please Visit Reserve Copy Page]=
'''Convener:''' =nat
'''Convener:''' =nat

Latest revision as of 12:39, 7 February 2011

Convener: =nat

Notes-taker: Breno de Medeiros

Tags: OpenID Artifact Extension

Discussion notes:

Idea: Send smaller payload through the browser (indirect communication).

Goal: Support less powerful mobile browsers that may have stricter URL lengths and no support for Javascript.

Question: How to bind the token to the requester? Standard XSRF protection can be used to bind the request to the browser session at the RP. RP must sign requests to prevent artifact being stolen.

Statelessness: Can be achieved for identity select, some state required for claimed id. Allow artifact to be different in the request and the response to support statelessness.

Maximum length for artifacts should be specified.

Doing it through extensions—not possible, it requires changes to add signatures. Suggestion: Use two different keys to avoid reflection attacks.