W3C home > Mailing lists > Public > public-webrtc-logs@w3.org > July 2017

Re: [webrtc-pc] Specifying third party IdP for validating assertion

From: Soares Chen via GitHub <sysbot+gh@w3.org>
Date: Tue, 25 Jul 2017 04:19:16 +0000
To: public-webrtc-logs@w3.org
Message-ID: <issue_comment.created-317624634-1500956352-sysbot+gh@w3.org>
My original question is whether custom IdP can be set when validating identity assertion. (It shouldn't, that's why seeking clarification for 5.7.1.2.). But AFAIK `setIdentityProvider`is for _generating_ identity assertion and WebRTC do allows third party IdP to be used.

As far as my understanding in WebRTC there is currently no way for a browser to know about the local identity. It only knows the domain of the local identity but doesn't validate that it is the same as specified in `setIdentityProvider()`.

For example when alice@example.net connects to bob@example.org, Alice's `RTCPeerConnection` doesn't actually know that she is in fact alice@example.net. Alice's `RTCPeerConnection` only knows how to call `generateAssertion()` from whatever IdP proxy that is specified in `setIdentityProvider()`, and the domain name example.net from `RTCIdentityAssertionResult`. It is only Bob's `RTCPeerConnection` learns that the assertion represents alice@example.net after calling `validateAssertion()` from example.net IdP proxy. In other words, Alice's app can do something like:

```javascript
// Alice's app
pc.setIdentityProvider('alice-home-server.com')

// alice-home-server.com IdP proxy
// Somehows call example.net's custom API to get an assertion
// returns valid RTCIdentityAssertionResult for example.net
{
  idp: {
    domain: 'example.net'
  },
  assertion: 'string-signed-by-example.net'
}
```

So as long as alice-home-server.com returns valid domain and assertion, Alice's `RTCPeerConnection` is happy. Bob's `RTCPeerConnection` would of course contact example.net only and make sure that the validated identity alice@example.net also belongs to the same domain.

-- 
GitHub Notification of comment by soareschen
Please view or discuss this issue at https://github.com/w3c/webrtc-pc/issues/1506#issuecomment-317624634 using your GitHub account
Received on Tuesday, 25 July 2017 04:19:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:21:40 UTC