[Openid-specs-ab] Comments on Solberg JWT Federation

Roland Hedberg roland at catalogix.se
Fri Aug 3 07:03:09 UTC 2018


Filip Skokan proposed changing the names to allowed_* which more reflects the intent.

> On 2 Aug 2018, at 23:31, Mike Schwartz via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> 
> 
> Actually the OP publishes "scopes_supported" and "claims_supported"
> 
> Roland proposed adding "rp_scopes" and "rp_claims" to metadata statements
> 
> But neither of these say what claims or scopes are supported by the federation, as you do on this page:   https://www.incommon.org/federation/attributes.html <https://www.incommon.org/federation/attributes.html>

The federation when signing the metadata statement for an entity/organisation belonging to the federation
may add allowed_* claims to specify what scopes/claims can be used by that entity/organisation.

> - Mike
> 
> 
> ------------------------
> Michael Schwartz
> Gluu
> Founder / CEO
> mike at gluu.org
> https://www.linkedin.com/in/nynymike/
> 
> On 2018-08-02 15:33, Nick Roy wrote:
>> On 8/2/18 2:10 PM, Mike Schwartz via Openid-specs-ab wrote:
>>> Andreas,
>>> First question, how did you get twitter handle @erlang ?
>>> Here are some comments, just prima facie:
>>> 1. I like the idea to leverage Webfinger. One of my core concerns about
>>> he current OIDC federation draft is that it's too static in a day and
>>> age when we're all using lots of API's. And WebFinger is already used by
>>> OP's that support dynamic configuration, so why not use it? But one
>>> question I have is public clients, for example a javascript application
>>> running in the browser can't host a Webfinger endpoint.
>>> 2. Wouldn't it be better for the client to present it's metadata during
>>> dynamic client registration, rather then requiring the OP to call back
>>> to the RP's Webfinger URL at authentication time?
>>> 3. Are you also proposing the use of OP,RP metadata for signing_keys,
>>> signing_keys_uri, and signed_jwks_uri ? Another federation challenge is
>>> that key rotation for the jwks_uri happens frequently if you are
>>> following guidelines for best practices (every two days).
>>> 4. What about metadata for the federation itself? Perhaps the federation
>>> wants to publish certain guidelines, like what are the SAML attributes
>>> it recommends its participants to support? For example, InCommon
>>> recommends use of eduPerson.
>> Wouldn't that be handled by scopes in the metadata statement for the OP,RP?
>> Nick
>>> 5. How would a client register with the federation to get that
>>> persistent identifier? Or is that out of scope of your proposal?
>>> 6. Did you go through the inter-federation use case? Is the data
>>> duplicated? Or does one federation refer back to the other federation?
>>> - Mike
>>> ------------------------
>>> Michael Schwartz
>>> Gluu
>>> Founder / CEO
>>> mike at gluu.org
>>> https://www.linkedin.com/in/nynymike/
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

— Roland

The higher up you go, the more mistakes you are allowed. Right at the top, if you make enough of them, it's considered to be your style. 
-Fred Astaire, dancer, actor, singer, musician, and choreographer (10 May 1899-1987)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180803/779d5d81/attachment.html>


More information about the Openid-specs-ab mailing list