[Openid-specs-ab] Possible MTI fallback position for OpenID Request Object

Mike Jones Michael.Jones at microsoft.com
Fri Feb 1 00:54:25 UTC 2013

The OpenID Request Object intended to be a complete encapsulation of the authentication request being made by a client to an Authorization Server.  As discussed on today's call, it does several related things:
  - Enables signed requests
  - Enables additional request parameters, such as "preferred_locales" and "max_age"
  - Enables requesting specific claims be returned in particular locations (ID Token, UserInfo)
  - Enables declaring whether requested claims are voluntary or essential
  - Enables providing information about requested claim values, including "auth_time", "acr", and "sub"

The primary thing that some people on the call seemed to feel should not be Mandatory to Implement (MTI) functionality is having to respond to requests for specific individual claims.  The alternative is that we could allow implementations to ignore the "claims" members of the "id_token" and "userinfo" fields and instead return an OP-specified default set of claims.  (These claims might or might not meet the RP's needs, but that might be true in any case, and so imposes no additional implementation burden on the RP.)  This clearly has worse privacy properties than only returning the claims that were actually requested.

However, several people also expressed the viewpoint that the OpenID Request Object should be parsed and the request parameters be acted upon.  This would enable signed requests and would enable additional request parameters such as "preferred_locales" and "max_age".  It would not enable requests for specific claims to be acted upon nor would it enable acting upon information about the desired properties of those claims.

People also expressed reservations about making "request_file" MTI.

In summary the, middle ground that I'd like people to discuss is:
  - Parsing OpenID Request Object MTI
  - Using request parameters contained in Request Object MTI
  - Supporting "preferred_locales" and "max_age" parameters MTI
  - Supporting "claims" fields OPTIONAL
  - If "claims" fields not supported, the claims returned would be determined by the OP
  - It would be discoverable whether "claims" is supported by an OP
  - Supporting "request_file" OPTIONAL
  - It would be discoverable whether "request_file" is supported
  - If "request_file" is not supported, the claims returned would be determined by the OP

Discussion encouraged...

                                                                -- Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130201/02482b3f/attachment.html>

More information about the Openid-specs-ab mailing list