[Openid-specs-ab] Comments on Solberg JWT Federation

Mike Schwartz mike at gluu.org
Thu Aug 2 21:31:24 UTC 2018


Actually the OP publishes "scopes_supported" and "claims_supported"

Roland proposed adding "rp_scopes" and "rp_claims" to metadata 
statements

But neither of these say what claims or scopes are supported by the 
federation, as you do on this page:   
https://www.incommon.org/federation/attributes.html

- Mike


------------------------
Michael Schwartz
Gluu
Founder / CEO
mike at gluu.org
https://www.linkedin.com/in/nynymike/

On 2018-08-02 15:33, Nick Roy wrote:
> On 8/2/18 2:10 PM, Mike Schwartz via Openid-specs-ab wrote:
>> Andreas,
>> 
>> First question, how did you get twitter handle @erlang ?
>> 
>> Here are some comments, just prima facie:
>> 
>> 1. I like the idea to leverage Webfinger. One of my core concerns 
>> about
>> he current OIDC federation draft is that it's too static in a day and
>> age when we're all using lots of API's. And WebFinger is already used 
>> by
>> OP's that support dynamic configuration, so why not use it? But one
>> question I have is public clients, for example a javascript 
>> application
>> running in the browser can't host a Webfinger endpoint.
>> 
>> 2. Wouldn't it be better for the client to present it's metadata 
>> during
>> dynamic client registration, rather then requiring the OP to call back
>> to the RP's Webfinger URL at authentication time?
>> 
>> 3. Are you also proposing the use of OP,RP metadata for signing_keys,
>> signing_keys_uri, and signed_jwks_uri ? Another federation challenge 
>> is
>> that key rotation for the jwks_uri happens frequently if you are
>> following guidelines for best practices (every two days).
>> 
>> 4. What about metadata for the federation itself? Perhaps the 
>> federation
>> wants to publish certain guidelines, like what are the SAML attributes
>> it recommends its participants to support? For example, InCommon
>> recommends use of eduPerson.
> 
> Wouldn't that be handled by scopes in the metadata statement for the 
> OP,RP?
> 
> Nick
> 
>> 
>> 5. How would a client register with the federation to get that
>> persistent identifier? Or is that out of scope of your proposal?
>> 
>> 6. Did you go through the inter-federation use case? Is the data
>> duplicated? Or does one federation refer back to the other federation?
>> 
>> - Mike
>> 
>> 
>> ------------------------
>> Michael Schwartz
>> Gluu
>> Founder / CEO
>> mike at gluu.org
>> https://www.linkedin.com/in/nynymike/
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 


More information about the Openid-specs-ab mailing list