technical-framework icon indicating copy to clipboard operation
technical-framework copied to clipboard
verified publisher icon swedenconnect

Prevent @ from appearing in values used for scoped attributes.

Open martin-lindstrom opened this issue 1 year ago • 2 comments

A scoped attribute value is on the form value@domain , and if value contains a @, for example [email protected], we will end up with an attribute value containing two @-characters, e.g. [email protected]@example.com, and this will lead to potential implementation problems.

Therefore, the attribute specification needs to be updated with a strong recommendation not to use @ in the value part of scoped attributes.

martin-lindstrom avatar Apr 17 '24 09:04 martin-lindstrom

We (Knowit, and at least one of our customers) are already using the orgAffiliation attribute, where the uid part just happens to be a UPN (=email). This works perfectly fine, and the specifications clearly states

In the general case, an attribute consumer MUST NOT assume a particular format or
meaning of the personal identifier part since different organizations may use different formats

A simple clarification that the attribute may include multiple @ and that is therefore cannot be parsed as an email address, should be enough, I think.

magnussuther avatar Apr 18 '24 13:04 magnussuther

@magnussuther Yes. I agree.

So, when you split up the orgAffiliation value you trig on the last '@' character?

martin-lindstrom avatar Apr 19 '24 07:04 martin-lindstrom