Comment by snickerdoodle12
10 days ago
Wouldn't it make way more sense to just have the RP supply a nonce that gets signed by the IDP? Isn't this how oidc works already?
10 days ago
Wouldn't it make way more sense to just have the RP supply a nonce that gets signed by the IDP? Isn't this how oidc works already?
Wouldn't that potentially leak data to the IDP?
All it would leak is that an age verification request happened. The RP would request you/your browser to forward the request "hi can you pls verify if user with nonce 123456 is 18?" to your IDP of choice.
And then the IDP gives you "yes the user with nonce 123456 is 18" signed with its private key, which you forward to the RP.
The only data "leaked" would be which IDP you used to the RP, and that there was an 18+ verification request to the IDP. The IDP wouldn't need to know which RP they're signing the proof for.
This does allow proxying the requests, but honestly, how locked down does this need to be? It's far easier to just snatch your parent's drivers license or passport at that point.