[Openid-specs-ab] Lite Draft 8

John Bradley ve7jtb at ve7jtb.com
Thu Aug 18 02:14:17 UTC 2011

They could but that would not be in the spirit of OAuth.

I think the idea of pre-regestring what attributes a RP gets is one that has caused problems in SAML.   It may work in an enterprise, but we now have to have RP spoof multiple entity_id/client_id to be able to request the correct attributes.

Remember we are trying to build privacy preserving into the technology, that involves the principal of minimal disclosure. 

Pre-regestring attributes per client_id sounds like a bad idea as compared to a small number of default scopes for the protected resource.  

On 2011-08-17, at 9:14 PM, Allen Tom wrote:

> The scopes that the client is asking for could be bound to the client_id. This assumes that the RP pre-registered with the OP.  
> That being said, I think it's probably easier for client developers if they're able to dynamically specify the scopes that they want.
> Allen
> On Wed, Aug 17, 2011 at 5:19 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
> Yes but the question is how you ask for authorization.
> If there is only one scope then you can't ask for a subset.  At least Facebook dosen't want to give email by default.  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110817/44705dd1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110817/44705dd1/attachment.p7s>

More information about the Openid-specs-ab mailing list