[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [higgins-dev] RST issue in case of m-card with SelfIssuedCredential
|
Hi Mike - fyi - I created a Bugzilla ticket to track this issue:
https://bugs.eclipse.org/bugs/show_bug.cgi?id=269423
Any thoughts on Sergey's proposal?
regards...Brian
Brian Walker
=brian.walker
VP of Engineering
Parity Communications Inc
cell: 781-801-0254
bwalker@xxxxxxxxx
On Feb 13, 2009, at 1:50 PM, Sergey Lyakhov wrote:
Mike,
according to section 8.2. of Identity Selector Interoperability
Profile
V1.5, the subject confirmation method for self-issued tokens must be
specified as one of:
urn:oasis:names:tc:SAML:1.0:cm:holder-of-key, or
urn:oasis:names:tc:SAML:1.0:cm:bearer (for Browser based
applications).
We have a problem on STS server side in case of m-card with self
issued
credential. In this case,
sts.server.token.identity.DigitalIdentityHandler
expects an assertion with "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key
"
subject confirmation method in RST (by the way, CardSpace also sends
a token
with "holder-of-key" subject confirmation method in this case). But
STS
client always sends "bearer" token because it is hardcoded in
sts.client.TokenRequestFactory (at 161 line) to use RST.KeyType =
NoProofKeyKeyType. As a result, we get NullPointerException in
sts.server.token.identity.DigitalIdentityHandler (at 316 line),
because
bearer token does not contain key info.
It looks we need to add a "confirmation method" (or "rstKeyType")
argument
to TokenRequestFactory.createPersonalRequest(...) method to be able
to set
reqiured RST.KeyType. If you agree with this change, I can prepare an
appropriate patch to sts.client and iss.cardspace projects.
Thanks,
Sergey Lyakhov
_______________________________________________
higgins-dev mailing list
higgins-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/higgins-dev
