OpenID 'sub' mismatch.

107 views
Skip to first unread message

Demeranville, Tom

unread,
Apr 9, 2018, 7:35:39 AM4/9/18
to ORCID API Users
All,

It's been brought to our attention that there is a mismatch between the 'sub' provided within our OpenID tokens and the 'sub' provided by the userinfo endpoint.  Specifically, the id_token contains https://orcid.org/0000-0000-0000-0000 but the user info contains 0000-0000-0000-0000.

We will be changing the id_token so that it matches the user info endpoint, meaning we are removing the domain prefix.  The prefix can be derived from the 'iss', i.e. issuer, which is changing to be relative to the service, e.g. https://orcid.org or https://sandbox.orcid.org/

This change will happen in the next few weeks.  Please get in touch if you'd like more info.

Best,

Tom Demeranville
Technology Advocate
ORCID Inc

Basney, Jim

unread,
Apr 9, 2018, 10:49:53 AM4/9/18
to ORCID API Users

Tom,

 

When their sub claim changes, I expect users will no longer be able to sign in to their accounts on our systems via ORCID unless we do a manual mapping from the https://orcid.org/0000-0000-0000-0000 to 0000-0000-0000-0000 form, similar to the change from the http://orcid.org/0000-0000-0000-0000 to https://orcid.org/0000-0000-0000-0000 form. Since [1] tells us to always use the full URI form, I'm surprised that the API is reverting the sub claim to the 0000-0000-0000-0000 form.

 

To help us plan for the operational impact of this change, can you provide a more precise schedule? Will this trigger an API version change to help us manage the timing of the change for our systems?

 

Thanks,

Jim

 

[1] https://support.orcid.org/knowledgebase/articles/116780

 

--
You received this message because you are subscribed to the Google Groups "ORCID API Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-use...@googlegroups.com.
To post to this group, send email to orcid-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/orcid-api-users.
For more options, visit https://groups.google.com/d/optout.

Demeranville, Tom

unread,
Apr 9, 2018, 3:03:38 PM4/9/18
to Basney, Jim, ORCID API Users
Hi Jim,

The reason we've decided on a non-URI subject is our reading of section 5.7 in the OpenID specification, which states that the 'sub' and 'iss' should be combined together to establish a globally unique identifier.  This implies that they should be kept separate, which is different from say, a SAML ePTID, a scoped ID or a name ID which contains that information already (although in those cases not as a URI).  It would be possible to change both the id_token and userinfo to use the fully qualified URI as the subject.  But from what I can see, it seems that's not the OpenID way.  

"The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique and never reassigned within the Issuer for a particular End-User, as described in Section 2. Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim."

http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability

I realise this is inconvenient for established services, but we're hoping it won't have to high an impact as those using OpenID are mainly using it in demonstrator services rather than production.  There will be no api version change, but we will we give a precise time ahead of schedule.  I think this change needs to be made before we take OpenID out of beta and make it a fully supported feature.

Best,

Tom.


Tom Demeranville
Technology Advocate
ORCID Inc

To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-users+unsubscribe@googlegroups.com.
To post to this group, send email to orcid-api-users@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "ORCID API Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-users+unsubscribe@googlegroups.com.
To post to this group, send email to orcid-api-users@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages