OpenID Artifact Binding

Convener: =nat

Notes-taker: Breno de Medeiros

Tags: OpenID Artifact Extension

Discussion notes:

Idea: Send smaller payload through the browser (indirect communication).

Goal: Support less powerful mobile browsers that may have stricter URL lengths and no support for Javascript.

Question: How to bind the token to the requester? Standard XSRF protection can be used to bind the request to the browser session at the RP. RP must sign requests to prevent artifact being stolen.

Statelessness: Can be achieved for identity select, some state required for claimed id. Allow artifact to be different in the request and the response to support statelessness.

Maximum length for artifacts should be specified.

Doing it through extensions—not possible, it requires changes to add signatures.  Suggestion: Use two different keys to avoid reflection attacks.