[OpenID] Return Authorities to Client

Cal Heldenbrand cal at fbsdata.com
Mon Dec 7 14:43:45 UTC 2015 

I'll take a crack at this, even though I'm probably not the most qualified
to do so.  OAuth2 scopes are outside the specification scope of OpenID
Connect.

However, section 5.1.2
<http://openid.net/specs/openid-connect-core-1_0.html#AdditionalClaims>
states that you can add any custom claims that you'd like.  Pick a unique
name like "mitre_scopes" and add it to your discovery document's
<http://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata>
claims_supported property.  Then expose that claim as an array over ID
Tokens/UserInfo as normal.

This is non-standard though, so it doesn't fully answer your question.  You
might want to take a look at User-Managed Access (UMA) which is a standard
way of conveying authorization / access control between many parties.  I'm
in my beginning phases of researching UMA, so don't take my advice too
heavily.  ;-)

Good luck!

--Cal

---------------------------------------------------------------
Cal Heldenbrand
   Web Operations at FBS
   Creators of flexmls <http://flexmls.com>® and Spark Platform
<http://sparkplatform.com>
   cal at fbsdata.com

On Mon, Dec 7, 2015 at 4:42 AM, Steve Garing <steve.garing at guvera.com>
wrote:

> Hi,
>
> Is there a standard way to return the authorities to a client?  I haven’t
> been able to get the authorities returned via standard functionality in the
> MITREid Connect project and we’d like the clients to have visibility of a
> users role to determine some client side functionality.
>
> Would it correct to think that the clients can request and extra scope
> like ‘authorities’ and then provide the authorities in the id_token and
> from the userinfo endpoint?
>
> Thanks,
> Steve
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20151207/f6c8c05c/attachment.html>

More information about the general mailing list