[Openid-specs-igov] meeting spec notes 2017-05-30
Mike Varley
mike.varley at securekey.com
Tue May 30 15:52:07 UTC 2017
OAUTH: ACR (managing LOA and RS)
Acr was added as optional attribute to access_token
- is ACR for the user or for the resource server? (intended to be the user)
- is this a work around for scopes? (in a way, yes, for native clients and UX for high value resources)
- error back would have to indicate "re-auth"; currently don't have this in OAuth spec.
- describe solution as scopes, refresh_tokens and access_tokens
- RS trustd user authZ server (this is the OAuth model - RS should not need to do additional user trust)
ACTION:
- remove acr from access_token
- provide guidance around managing and using access tokens and refresh_tokens (refresh at lower scopes to avoid user re-authentication).
OIDC:
Verifiable claims becomes a new spec (TBD)
- to follow up on how to get this spec rolling when needed.
MV
More information about the Openid-specs-igov
mailing list