Hi,
This is partly related to UniversitaDellaCalabria/SATOSA-oidcop#20 and UniversitaDellaCalabria/SATOSA-oidcop#21 (which give some more context).
When trying to use pairwise sub_type with oidcop, I was getting the same sub values for both public and pairwise types - and realised it was because sector_identifier being passed by create_grant to the sub functions was an empty string.
And I found it's populated with auth_req.get("sector_identifier_uri", "").
I managed to set it by explicitly including it as an extra parameter in the Authn request with:
OIDCAuthRequestParams sector_identifier_uri=client.example.org
... but this uncovers several issues:
- generating pairwise IDs that are not really pairwise (if empty string is accepted as sector_identifier)
- accepting arbitrary strings as sector_identifier from the client per each authn request
- expecting the client to pass the sector_identifier_uri in each authn request (instead of solving it at registration time).
I believe this could be addressed by extending the interface of create_grant and create_session to also take a sector_identifier attribute - which would be populated from the client registration database available in the code making these calls (such as OidcOpFrontend).
Thanks a lot in advance for considering this.
Cheers,
Vlad
Hi,
This is partly related to UniversitaDellaCalabria/SATOSA-oidcop#20 and UniversitaDellaCalabria/SATOSA-oidcop#21 (which give some more context).
When trying to use
pairwisesub_typewith oidcop, I was getting the samesubvalues for bothpublicandpairwisetypes - and realised it was becausesector_identifierbeing passed bycreate_grantto the sub functions was an empty string.And I found it's populated with
auth_req.get("sector_identifier_uri", "").I managed to set it by explicitly including it as an extra parameter in the Authn request with:
... but this uncovers several issues:
I believe this could be addressed by extending the interface of
create_grantandcreate_sessionto also take asector_identifierattribute - which would be populated from the client registration database available in the code making these calls (such as OidcOpFrontend).Thanks a lot in advance for considering this.
Cheers,
Vlad