- From: Soares Chen via GitHub <sysbot+gh@w3.org>
- Date: Tue, 25 Jul 2017 04:19:16 +0000
- To: public-webrtc-logs@w3.org
My original question is whether custom IdP can be set when validating identity assertion. (It shouldn't, that's why seeking clarification for 5.7.1.2.). But AFAIK `setIdentityProvider`is for _generating_ identity assertion and WebRTC do allows third party IdP to be used.
As far as my understanding in WebRTC there is currently no way for a browser to know about the local identity. It only knows the domain of the local identity but doesn't validate that it is the same as specified in `setIdentityProvider()`.
For example when alice@example.net connects to bob@example.org, Alice's `RTCPeerConnection` doesn't actually know that she is in fact alice@example.net. Alice's `RTCPeerConnection` only knows how to call `generateAssertion()` from whatever IdP proxy that is specified in `setIdentityProvider()`, and the domain name example.net from `RTCIdentityAssertionResult`. It is only Bob's `RTCPeerConnection` learns that the assertion represents alice@example.net after calling `validateAssertion()` from example.net IdP proxy. In other words, Alice's app can do something like:
```javascript
// Alice's app
pc.setIdentityProvider('alice-home-server.com')
// alice-home-server.com IdP proxy
// Somehows call example.net's custom API to get an assertion
// returns valid RTCIdentityAssertionResult for example.net
{
idp: {
domain: 'example.net'
},
assertion: 'string-signed-by-example.net'
}
```
So as long as alice-home-server.com returns valid domain and assertion, Alice's `RTCPeerConnection` is happy. Bob's `RTCPeerConnection` would of course contact example.net only and make sure that the validated identity alice@example.net also belongs to the same domain.
--
GitHub Notification of comment by soareschen
Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/1506#issuecomment-317624634 using your GitHub account
Received on Tuesday, 25 July 2017 04:19:16 UTC