[Openid-specs-ab] OpenID Connect Federations

Nat Sakimura sakimura at gmail.com
Thu Aug 30 13:58:45 UTC 2012

As far as I understand, the authorization is done by the resource owner.
Resource owner is the party who is authoritative in making the
authorization decision.
It is not same as the PII principal nor end-user.
This means that there could be pre-set rules etc. that does
authorization behind the scene.

Wrt. registration, I agree it needs a bit more work.


On Fri, Aug 24, 2012 at 8:21 PM, Andreas Åkre Solberg
<andreas.solberg at uninett.no> wrote:
> Hi,
> again, I'm considering the possibility of building Identity Federations with OpenID Connect.
> I sketched my idea here:
>         https://github.com/andreassolberg/documents/blob/master/openidconnect/draft-solberg-connect-federations.md
> The idea is basically to define a chain of JSON documents that lists trusted providers with the combination of issuer, jwt, UI info and possibly restrictions.
> I've done an attempt to get updated on the latest work on the 1.0 spec. A few comments wrt federations.
> I think it important to not rule out the possibility of implicit authorization. It is not obvious in Identity Federations to apply user consent /authorization at all.
>         OIC Standard 2.3.4
>         http://openid.net/specs/openid-connect-standard-1_0.html#anchor7
> Another thing is the discovery protocol. OIC Discovery 3.2 says response MUST be a plain JSON. I believe there will be several use cases for signing the response as a self-signed JWT.
> Andreas
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

Nat Sakimura (=nat)
Chairman, OpenID Foundation

More information about the Openid-specs-ab mailing list