[Openid-specs-ab] Lite Draft 8

Anthony Nadalin tonynad at microsoft.com
Thu Aug 18 16:50:45 UTC 2011

Wouldn't/couldn't that be part of the user consent for a fixed scema?

From: John Bradley [mailto:ve7jtb at ve7jtb.com]
Sent: Wednesday, August 17, 2011 5:20 PM
To: Anthony Nadalin
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Lite Draft 8

Yes but the question is how you ask for authorization.

If there is only one scope then you can't ask for a subset.  At least Facebook dosen't want to give email by default.

I suspect that you are not arguing agains privacy, or consent.  So perhaps I am not understanding the question.

Are you asking for a single scope called openid that provides a id_token for the session info and an access token scoped for all of the users available attributes?

The current proposal is 4 scopes so that a RP just wanting to do SSO doesn't need to ask for permission to get the users name.

openID = User ID
email  = email
address = address
profile = all remaining default attributes.

I think for interoperability we have to say something about the scopes for the user-info endpoint.

On 2011-08-17, at 1:28 PM, Anthony Nadalin wrote:

So why would you have to give back all the information? You get back all or any portion that you are authorized to access

From: John Bradley [mailto:ve7jtb at ve7jtb.com]<mailto:[mailto:ve7jtb at ve7jtb.com]>
Sent: Tuesday, August 16, 2011 4:41 PM
To: Anthony Nadalin
Cc: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Lite Draft 8

>From a privacy point of view giving all of the information in the user-info endpoint all the time with only a single scope is not ideal.
Mike wanted to do that but have additional negative scope so that you could say you don't want things, but have the default be the common case.
This still requires defining multiple scopes.

We could just make openid the scope for the id_token.  However that makes interoperability for the user-info endpoint worse than AX if that is possible.

I wouldn't want to get rid of nonce or state for security reasons.  We could make those required for the profile and ditch prompt and display.

Other opinions?

On 2011-08-16, at 7:03 PM, Anthony Nadalin wrote:

1.       3.1 Why is there any scope beyond "openid", is this spec going to be continually updated whenever a new scope is added/changed, seems like a bad idea to have additional scopes in the spec
2.       3.2.1 Why have optional parameters, this should be basic (code and go)
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110818/5be6809e/attachment.html>

More information about the Openid-specs-ab mailing list