[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[higgins-dev] RST issue in case of m-card with SelfIssuedCredential
|
Mike,
according to section 8.2. of Identity Selector Interoperability Profile
V1.5, the subject confirmation method for self-issued tokens must be
specified as one of:
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key, or
urn:oasis:names:tc:SAML:1.0:cm:bearer (for Browser based applications).
We have a problem on STS server side in case of m-card with self issued
credential. In this case, sts.server.token.identity.DigitalIdentityHandler
expects an assertion with "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key"
subject confirmation method in RST (by the way, CardSpace also sends a token
with "holder-of-key" subject confirmation method in this case). But STS
client always sends "bearer" token because it is hardcoded in
sts.client.TokenRequestFactory (at 161 line) to use RST.KeyType =
NoProofKeyKeyType. As a result, we get NullPointerException in
sts.server.token.identity.DigitalIdentityHandler (at 316 line), because
bearer token does not contain key info.
It looks we need to add a "confirmation method" (or "rstKeyType") argument
to TokenRequestFactory.createPersonalRequest(...) method to be able to set
reqiured RST.KeyType. If you agree with this change, I can prepare an
appropriate patch to sts.client and iss.cardspace projects.
Thanks,
Sergey Lyakhov
