[Openid-specs-mobile-profile] [E] Question: mandatory vs Optional Scopes

Engan, Michael Michael.Engan1 at T-Mobile.com
Wed Aug 29 18:57:14 UTC 2018


That would work for me.  I still believe it should be an SP task to stitch the user experience. But I would probably have to disagree with the single "Phone_number" attribute.   If an SP sends you to the MNO to authenticate, and the SP wants your phone number. (with signed assertion from the carrier that the phone number is accurate) it would not make sence for the SP to ask the user for their phone number instead.




From: Hjelm, Bjorn <Bjorn.Hjelm at VerizonWireless.com>
Sent: Wednesday, August 29, 2018 11:53 AM
To: Engan, Michael <Michael.Engan1 at T-Mobile.com>; openid-specs-mobile-profile at lists.openid.net; Fletcher, George <george.fletcher at oath.com>
Cc: GORHAM, MARIA C <mg1928 at att.com>
Subject: RE: [E] [Openid-specs-mobile-profile] Question: mandatory vs Optional Scopes

The RP would state that a given "claim" is essential but would require the OP to support the claims parameter<http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter>. It's worth noting that the "claims_parameter_supported Discovery result indicates whether the OP supports this parameter."

In talking to George, the general practice in a use case like this (where the RP asks for a set of attributes and the user choses to not provide them) that the RP would ask the user directly for those attributes if they are required.

BR,
Bjorn

From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Engan, Michael
Sent: Wednesday, August 29, 2018 10:52 AM
To: openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>; Hjelm, Bjorn
Cc: GORHAM, MARIA C
Subject: [E] [Openid-specs-mobile-profile] Question: mandatory vs Optional Scopes

We have has requests from marketing teams to review SP's being able to define scopes as optional vs mandatory.

Today our assumptions are the scopes requested in an openid connect request are optional. If the SP for instance askes for
Scopes=(openid email phone)  the user could select/deselect email or phone.

Instead of the SP having to give the user an error that the user can't proceed because one of the attributes was not provided, the SP could instead ask for a failed authentication for any scope being de-selected.

Is this a feature/experience that has come up with anyone else before?
Is there any suggestion in how to support this without doing something too far off spec?



Michael Engan
Principal Systems Architect,
Authentication, Authorization, & API security
12920 SE 38th Street | Bellevue, WA 98006
Direct 425-383-2268 | Mobile 425-443-3463

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180829/30cc0254/attachment-0001.html>


More information about the Openid-specs-mobile-profile mailing list