Open NicolasLiampotis opened 5 months ago
To change from voPersonId
to sub
has the following implications:
sub
value to contain the same value the voPersonId
sub
claimFor relying parties:
voPersonId
as a unique key for the user they will need to change to the sub
claimsub
onlyIt will be necessary to introduce a version claim for signalling the supported AARC profile version to reying parties. At the same time, relying parties can sye the version scope to signal their support for the AARC profile
AFAIR we introduced using the voPerson
usage, because sub
might not be specified by each OP implementation, plus it will lead to problems, since it's not unique. Imagine one infraproxy serving multiple communities. We don't want to (and can't) suggest scoping the sub
.
It is probably safer to assume that nobody uses multiple values in vopersonId
sub
is defined as "locally" unique; meaning that is unique within the network managed by the OP.
Its value (pairwise/public) depends on the subject_type
attribute of the client/RP. subject_type
is defined for sub. By using voperson_id
it means that subject_type
causes an indirect side-effect to the value (and the definition) of voperson_id
.
Unless we agree that there will be no pairwise identifiers transmitted by voperson_id
. But that would get us in a problematic situation for the pseudonymous and anonymous entity categories.
We have already seen problems with services not being able to understand other claims, and others that eventhough they do understand other claims as identifiers, they cannot be configured to extract part of them (the first element).
IMO using sub
is the way to go. We do need to profile it.
But it means that we are automatically compatible with all services that use sub
as the identifier of the user.
I still see several issues with sub
.
If I understand correctly the plan is to convey the sub
claim as issued by the Community AAI, not the home IdP.
That sub
claim is then transparently passed on by infrastructure proxies to the end services. That either means
1) infra proxy uses the same iss
claim as the community AAI (i.e. infra proxy is essentially the same as community AAI) or
2) the sub
claim in itself is globally unique and could hence be issued by multiple issuers.
In case 1) the infra proxy is just passing all the information unchanged onwards, it cannot change anything in the token (since it's not the issuer) so logically there is no infrastructure proxy (but see below under verification too).
Concerning pairwise: in case 1) I can see how a pairwise could still be working (although it would be difficult to determine for the Community AAI which probably still sees all services as a single SP), in case 2) pairwise doesn't seem to make any sense: it's pairwise between community and infra, not beyond: whatever the infra proxy is passing on cannot be called a pairwise identifier. In short, I think pairwise makes little sense in any case.
Verification: case 1) implies that end services that want to do verification via introspection & well-known metadata endpoints (standard pattern) they will end up at the community AAI unless the infra proxy implements proxied token introspection. If they want to do offline verification, all end-services must trust all community AAIs directly. Since the latter again implies that there is not really a separate infra proxy, I think case 1) requires support for proxied token introspection.
Additionally, I'm still thinking that changing the content of the sub
claim is going to cause a lot of problems:
sub
claims, incl. potentially in a different format (glob unique).sub
claimsub
claims (which they could interpret as different users if they identified their users from the sub
)
For new communities/infrastructures these last points are less of an issue of course.From the (just-finished) call:
A problem with using sub
: sub
is considered unique in combination with the iss
, I would say that that implies that getting the same sub
from different iss
, the RP needs to interpret them as different users?
It's a bit unclear in https://www.rfc-editor.org/rfc/rfc7519.html#section-4.1.2 which says it can be globally unique versus OIDC core https://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes where it says locally unique.
sub
is defined as "locally" unique; meaning that is unique within the network managed by the OP. This is IMO the reason why we've introduced usingvo_person_id
. Didn't we?
sub
is defined as "locally" unique; meaning that is unique within the network managed by the OP. This is IMO the reason why we've introduced usingvo_person_id
. Didn't we?
Note that the JWT RFC allows for either local or globally unique:
The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique.
We also need to consider the syntax limitations to align between OIDC/OAuth sub
and OASIS subject-id
values. Even though both standards expect ASCII characters they have different requirements.
I've tried to summarise the four different approaches discussed during the last architecture working group meetings:
voPersonID
(AARC-G026 & voPerson schema)Pros:
Cons:
voPersonID
is defined as multi-valued in the voPerson schema, making it less compatible with single-valued standards like OAuth’s sub
or OASIS’ subject-id
.sub
(pairwise) in OIDC/OAuth or pairwise-id
in SAML).Migration Implications:
sub
(OIDC core) and subject-id
(OASIS standard)Pros:
Cons:
voPersonID
/ voperson_id
.sub
with iss
.sub
value released from the upstream Identity Proxy/Community AAI.Migration Implications:
voPersonID
or sub+iss
combination).sub
and voPersonID
Pros:
voPersonID
while adopting standard sub
.Cons:
sub
value released from the upstream Identity Proxy/Community AAI.voPersonID
and Fallback to sub
for Limited RPsPros:
voPersonID
.sub
to function correctly without major disruption.Cons:
Migration Implications:
sub
or voPersonID
, complicating support and security policies.
sub
value released from their upstream Identity Proxy/Community AAI.Thoughts on these four approaches? Please share your feedback.
Comments on
sub
? But then, when that sub
comes via different infraproxies, the RPs will see different iss
meaning they must interpret them as different users, or break the standards. Alternatively the infraproxies would also reuse the same iss
but that means they either need the signing keys or they cannot adjust any of the claims in the tokens. Plus, not all software will be able to put "random" strings inside the sub
claim.iss
is much easier since it's the standard OAuth2/OIDC scenario. Plus why would we here need to put the same in voPersonId and sub ? If we include pairwise, different RPs in any case will get different identifiers.I think everything beside 2 would be fine, since we do not "break" previous guidelines. I also assume that we have always the problem of users appearing in two different accounts by using different proxies in the chain, because it is always possible that anyone in the chain releases pairwise identifiers.
Have we ever thought about connecting CAAI and IP via SAML. In this case there wouldn't be any sub
claim available.
Description
This issue highlights inconsistencies in subject identifier properties (multiplicity, case sensitivity, syntax) between voPersonID, OASIS subject-id, and OIDC/OAuth sub.
Subject Identifier Comparison
@
+ 64 ASCII for scopesubject-id
) & pairwise (pairwise-id
) attributesub
claimWe need to investigate if we can use an existing attribute/claim or if we need to define a new one. Using something standard like
sub
would be easy.See also RANDE proposal for introducing
gsub
claim: https://docs.google.com/document/d/1XH3pX4zU62S7VQ3JGTLDgSr4tb9vt6sDW0sgxD2Xi64/editRelated Issues
8