[Openid-specs-ab] OpenID Connect FAQ?

John Bradley ve7jtb at ve7jtb.com
Mon Aug 22 19:02:00 UTC 2011


Yes IdP are free to add scopes to the OAuth request.  That is one reason for keeping the user-info token separate from the id_token.  That enables providers to do that with existing endpoints, like graph API, or portable contacts etc.

Yes the IdP can add claims to the user-info endpoint.

For the moment they need to be full URI to avoid conflict.   We did discuss setting up a registry for short names, but have not progressed that.

So for now the short names are fixed by the spec,  Extension Claims/Attributes need to be named by URI.

John
On 2011-08-19, at 11:18 PM, Allen Tom wrote:

> Hi Nat,
> 
> I gave you edit permissions to the doc, so go ahead and chime in!
> 
> Regarding extending scopes - what I meant was that IdPs may define additional IdP-specific scopes which clients can specify in the Authorization request. So for instance, an IdP could offer a "post_to_my_wall" scope which clients could specify in addition to the openid scope. Presumably, the Access Token that's returned could be used at both the UserInfo endpoint, and the post_to_my_wall endpoint. Does that make sense?
> 
> Also, regarding the UserInfo endpoint - I thought IdPs were free to add additional key/values to the response? At least, that's what I remember from David Recordon's original proposal. If this is still the case, then can IdPs add new key/values without risking conflicts?
> 
> Since XRIs are just another URI, I'll remove it from the FAQ.
> 
> Thanks,
> Allen
> 
> 
> On Fri, Aug 19, 2011 at 6:24 PM, Nat Sakimura <sakimura at gmail.com> wrote:
> Thanks a lot! 
> 
> I may want to chime in as well, like claims. 
> Extending scopes are not recommended by the connect, as it would cause interoperability problems. Preferred way is to use the claims syntax. 
> 
> Also, I am not sure if we need to spell out "OpenID Connect does not support XRI" as it is just another URI and thus the statement is not entirely correct. 
> 
> =nat via iPad
> 
> On 2011/08/20, at 7:49, Allen Tom <allentomdude at gmail.com> wrote:
> 
>> OK, here's what I typed up this afternoon. It is only meant to be an informative easy to read summary of commonly asked questions regarding OpenID Connect.
>> 
>> https://docs.google.com/document/pub?id=16uH73S0VqouiDbfKJxxOUlgU9AZFu_ZRXVPJXwPCE6A
>> 
>> Anyone else want to pitch in?
>> 
>> Allen
>> 
>> 
>> On Fri, Aug 19, 2011 at 2:40 PM, Pam Dingle <pdingle at pingidentity.com> wrote:
>> Not everyone we want to inform will be an implementer.  A FAQ creates an easy set of quotable definitions for press, bloggers, and other folks who may want to talk about the spec without digging into it.
>> 
>> 
>> On Fri, Aug 19, 2011 at 2:24 PM, Johnny Bufu <jbufu at janrain.com> wrote:
>> I think these should be covered in the spec, rather than an external, non-authoritative document. An implementer would need answers for all of them (except the first one), the spec really should provide them.
>> 
>> Johnny
>> 
>> 
>> On 11-08-19 12:15 PM, Allen Tom wrote:
>> Would it be useful to have an OpenID Connect technical FAQ? Is there one
>> already? If not, I can help set it up as a separate wiki/living document.
>> 
>> Off the top of my head, some questions and answers that should be listed
>> are:
>> 
>> - What's OpenID Connect, and how is it different than OpenID 2.0?
>> - How is OpenID Connect different than OAuth 2.0?
>> - What is the id_token?
>> - What's the UserInfo endpoint?
>> - What's the CheckSession endpoint?
>> - When should clients use the Implicit vs Code flows?
>> - What's the identifier for the user?
>> - How do I extend OpenID Connect?
>> 
>> Allen
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
>> 
>> 
>> -- 
>> Pamela Dingle  |  Sr. Technical Architect
>> PingIdentity  |   www.pingidentity.com
>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>> O: 303-999-5890   M: 303-999-5890
>> Email: pdingle at pingidentity.com
>> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>> Connect with Ping
>> Twitter: @pingidentity
>> LinkedIn Group: Ping's Identity Cloud    
>> Facebook.com/pingidentitypage	
>> Connect with me
>> Twitter: @pamelarosiedee
>> 
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110822/ae17be06/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110822/ae17be06/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list