Difference between revisions of "OpenID Connect"
From MgmtWiki
(→Context) |
(→Problems) |
||
| Line 8: | Line 8: | ||
==Problems== | ==Problems== | ||
| + | #The [[Subject]] ID may be ephemeral. | ||
| + | #The [[Subject]] ID may be shared among all of the clients that use the same OP. | ||
==Solutions== | ==Solutions== | ||
Revision as of 13:18, 30 July 2018
Full Title or Meme
An extension of OAuth 2.0 to give a Relying Party access to User Information. (Other uses of this protocol are possible, but not of interest for Identity Management.
Context
- The OAuth 2.0 protocol gave access to User Resources, but without authentication, it was fraught with may vulnerabilities.
- The OpenID Connect protocol is always among three parties: the User (called subject), the Relying Party (called client for OAuth compatibility) and the Identifier or Attribute Provider (called OpenID Provider).
- There are always three Identifiers: the subject id (sid), the client id (client_id)
Problems
- The Subject ID may be ephemeral.
- The Subject ID may be shared among all of the clients that use the same OP.
