OpenID 'sub' change schduled for May 16th

[Demeranville, Tom]

All, 

We have scheduled the change to the format of the 'sub' element within id_tokens for the 16th of May.  This is to address the following issue:

There is a mismatch between the 'sub' provided within our OpenID tokens and the 'sub' provided by the userinfo endpoint.  Specifically, the id_token contains https://orcid.org/0000-0000-0000-0000 but the user info contains 0000-0000-0000-0000.

We will be changing the id_token so that it matches the user info endpoint, meaning we are removing the domain prefix.  The prefix can be derived from the 'iss', i.e. issuer, which is changing to be relative to the service, e.g. https://orcid.org or https://sandbox.orcid.org/

The reason we've decided on a non-URI subject is our reading of section 5.7 in the OpenID specification, which states that the 'sub' and 'iss' should be combined together to establish a globally unique identifier.  This implies that they should be kept separate, which is different from say, a SAML ePTID, a scoped ID or a name ID which contains that information already (although in those cases not as a URI).  

"The sub (subject) and iss (issuer) Claims, used together, are the only Claims that an RP can rely upon as a stable identifier for the End-User, since the sub Claim MUST be locally unique and never reassigned within the Issuer for a particular End-User, as described in Section 2. Therefore, the only guaranteed unique identifier for a given End-User is the combination of the iss Claim and the sub Claim." - http://openid.net/specs/openid-connect-core-1_0.html#ClaimStability

Please let us know if you have any questions,

Tom Demeranville

Technology Advocate

ORCID Inc

https://orcid.org/0000-0003-0902-4386

[Christopher Jones]

Hi Tom,

Thanks for the note, and for the timing.  This change will definitely affect our authentication service in the DataONE network, and so we’d like to request two things:

1) Having the switch be done in the sandbox.orcid.org environment at least two weeks before the production switch.  That will allow us to change our code and test it in the sandbox beforehand.

2) Identify the exact time that the production switch will occur on May 16th.  This will allow us to  coordinate our switch at the same time to avoid downtime as much as possible.  We can let our community know that there will be a slight downtime during a defined window, and that they’ll need to authenticate again.

Thanks very much,

Chris

Christopher Jones ~ Software Engineer                                  
National Center for Ecological Analysis and Synthesis
University of California Santa Barbara

--
You received this message because you are subscribed to the Google Groups "ORCID API Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-use...@googlegroups.com.
To post to this group, send email to orcid-a...@googlegroups.com.
Visit this group at https://groups.google.com/group/orcid-api-users.
For more options, visit https://groups.google.com/d/optout.

[Demeranville, Tom]

Hi Christopher,

Thanks for the reply.  

1) I think making the switch on sandbox.orcid.org beforehand is a very good idea.  I will schedule this for 4pm BST, 2nd of may. 

2) In production, we will schedule a time nearer the date.  

Best,

Tom Demeranville

Technology Advocate

ORCID Inc

https://orcid.org/0000-0003-0902-4386

To unsubscribe from this group and stop receiving emails from it, send an email to orcid-api-users+unsubscribe@googlegroups.com.
To post to this group, send email to orcid-api-users@googlegroups.com.

[Christopher Jones]

Great, thanks Tom, much appreciated.

Chris

Christopher Jones ~ Software Engineer                                  
National Center for Ecological Analysis and Synthesis
University of California Santa Barbara