Prevent @ from appearing in values used for scoped attributes.

swedenconnect / technical-framework

Technical Specifications for the Swedish eID Framework

27 stars 3 forks source link

Prevent @ from appearing in values used for scoped attributes. #208

Open martin-lindstrom opened 4 months ago

martin-lindstrom commented 4 months ago

A scoped attribute value is on the form value@domain , and if value contains a @, for example user@example.com, we will end up with an attribute value containing two @-characters, e.g. user@example.com@example.com, and this will lead to potential implementation problems.

Therefore, the attribute specification needs to be updated with a strong recommendation not to use @ in the value part of scoped attributes.

magnussuther commented 4 months ago

We (Knowit, and at least one of our customers) are already using the orgAffiliation attribute, where the uid part just happens to be a UPN (=email). This works perfectly fine, and the specifications clearly states

In the general case, an attribute consumer MUST NOT assume a particular format or
meaning of the personal identifier part since different organizations may use different formats

A simple clarification that the attribute may include multiple @ and that is therefore cannot be parsed as an email address, should be enough, I think.

martin-lindstrom commented 4 months ago

@magnussuther Yes. I agree.

So, when you split up the orgAffiliation value you trig on the last '@' character?