Re: [webrtc-pc] Specifying third party IdP for validating assertion from Martin Thomson via GitHub on 2017-07-25 (public-webrtc-logs@w3.org from July 2017)

From: Martin Thomson via GitHub <sysbot+gh@w3.org>
Date: Tue, 25 Jul 2017 00:52:26 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-317596208-1500943945-sysbot+gh@w3.org>

I think that the question here is about how an IdP might make a claim about a different domain.  Or, if you get an assertion for `user@example.com`, how `example.net` might verify that assertion.

This is not a function that `setIdentityProvider` is intended to provide.  This is something that the browser might decide to allow, but a site wouldn't and indeed MUST NOT.

Say that I know you as `soareschen@example.net`.  If I visit a site, I need to know that when the assertion arrives for you, then it is you.  You don't want `https://attacker.example` to be able to install an override so that their IdP can assert for `example.net`.

-- 
GitHub Notification of comment by martinthomson
Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/1506#issuecomment-317596208 using your GitHub account

Received on Tuesday, 25 July 2017 00:52:27 UTC