[OpenID] Return Authorities to Client

Steve Garing steve.garing at guvera.com
Tue Dec 8 05:26:02 UTC 2015 

Thanks John,

Thanks for clearing it up.  I’ve had a look into the difference between
scopes and claims ( I think the line was a little blurred for me before ).
>From what I see I have 2 choices, one to add a scope for that specific
claim, or two to add that claim to an exisiting scope.

MITREid does allow for claims to be passed to the userinfo endpoint and
after testing it does appear to be fully function.  Editing the claims does
not appear to be as straight forward so I think I’ll be digging deeper than
I hoped for this change.

For some reason I thought the authorities would always be present in the
id_token or from the userinfo endpoint.  Maybe our use case is wrong but
for us it’s a major piece of detail that allows our clients and distributed
resource servers to detemine access levels.  For clients it would be for
determining a access to specific views like admin sections (rather than
calling a server to determine if they can access the admin view etc).  For
resource servers is probably not as much of a big deal as we work off ‘sub’
more than anything else.

Thanks
Steve


On Tue, Dec 8, 2015 at 12:54 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> You can add it as a scope or as a claim depending on how you are
> constructing the UI.   I don’t know if MITREid supports asking for specific
> claims from the user_info endpoint.
> http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
>
> John B.
>
> On Dec 7, 2015, at 7:42 AM, Steve Garing <steve.garing at guvera.com> wrote:
>
> Hi,
>
> Is there a standard way to return the authorities to a client?  I haven’t
> been able to get the authorities returned via standard functionality in the
> MITREid Connect project and we’d like the clients to have visibility of a
> users role to determine some client side functionality.
>
> Would it correct to think that the clients can request and extra scope
> like ‘authorities’ and then provide the authorities in the id_token and
> from the userinfo endpoint?
>
> Thanks,
> Steve
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>


-- 
*Steve Garing*
Senior Software Engineer
*Guvera Australia Pty Ltd.*
Suite 903, Level 9, The Rocket
203 Robina Town Centre Drive
Robina, QLD, 4226
Australia
PO Box 4232 Robina TC QLD 4230
*Phone *+61 (0) 7 5578 8987

*Email *s <kim.bennett at guvera.com>teve.garing at guvera.com
*Web *www.guvera.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20151208/3848b142/attachment.html>

More information about the general mailing list