[Openid-specs-ab] A few queries about OpenID Connect

Glenn Grant glenn at welcomer.me
Wed Jul 23 04:55:07 UTC 2014


Heya,

Hopefully this is the right place to ask this, was directed here by Thomas
Hardjono.

I have a couple of queries that weren't clear to me after reading through
the specs and I was wondering if someone here might be able to help me out.

* Can a single OpenID Provider (OP) manage separate contexts (eg. different
unrelated/loosely related websites)?
  - This would imply to me yes: "OpenID Connect supports multiple Issuers
per Host and Port combination." ?
* Is it possible to externalise the userinfo endpoint from the OP core?
 - This is probably an implementation detail more than a spec thing, but I
assume some of you would be familiar with the MITREid implementation.
* The spec makes reference to a 'Claim Provider', but doesn't really detail
what is required to be one. Is it possible/how would one go about
implementing a 3rd party claim provider, and how would you authorise to it
(would it have to be an RP, or is it possible to implement arbitrary auth
methods that it requires; eg to turn a non OpenID connect API into a Claim
Provider)
* If a single OP has 2 unique identities (on seperate issuers) for user A,
(A1 & A2), is there a way to make an aggregated claim with details from
both, and how/where would you obtain/store the authorisations to do so? (or
would it be a better concept to implement a separate scope for each
'seperate endpoint' (eg. 2 businesses running on the same OP))

Hopefully those questions make sense (they're a little bit of a brain dump)

Thanks so much!

- Glenn / devalias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140723/6e51fda4/attachment.html>


More information about the Openid-specs-ab mailing list