[OpenID] [Openid-specs-ab] Profile for using SCIM with OpenID Connect

Nat Sakimura sakimura at gmail.com
Tue Jun 21 22:38:02 UTC 2016 

I plan to read but it has to wait till next week.

On Tue, Jun 21, 2016, 13:53 Phil Hunt <phil.hunt at oracle.com> wrote:

> A question I received was about the apparent multiple ways to access a
> SCIM resource through the profile. In part this is because SCIM offers
> multiple ways in REST.  But also using the “/Me” path follows the pattern
> similar to Connect for the UserInfo endpoint. “/Me” is just the SCIM
> equivalent.
>
> It is also important to remember that while Connect “sub” and SCIM “id”
> may be similar in format, it will often be true that the values are unique
> and distinct. One identifier refers to the authentication context, while
> the other identifier refers to the SCIM profile context.
>
> So for backwards compatibility reasons, the thinking is not to force the
> two identifiers to be the same and to define “scim_id” to allow the client
> to use “sub” with OIDC protocol and “scim_id” with SCIM protocol.
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt at oracle.com
>
>
>
>
>
> On Jun 21, 2016, at 9:32 AM, Phil Hunt <phil.hunt at oracle.com> wrote:
>
> Thanks Erik, found it (for some reason Facebook never notified me).
>
> Using the “/Me” follows the pattern used by Connect for the UserInfo
> endpoint. “/Me” is just the SCIM equivalent.
>
> However, in the broader use, we had some discussion that clients may want
> to know the actual id and location for the authenticated user for other
> reasons.  That said, we might argue that the client must actually do a scim
> get to the “/Me” endpoint to actually obtain the authenticated user’s id
> and resource location.
>
> Phil
>
> @independentid
> www.independentid.com
> phil.hunt at oracle.com
>
>
>
>
>
> On Jun 21, 2016, at 9:19 AM, Erik Wahlström <erik at wahlstromstekniska.se>
> wrote:
>
> Hi Phil,
> Did you get my 2 minute review? I sent it over facebook (that´s right :))
> to make sure that the review was my me acting as an individual, not from my
> company.
> / Erik
>
>
> On Tue, Jun 21, 2016 at 6:13 PM, Phil Hunt <phil.hunt at oracle.com> wrote:
>
>> Any comments or feedback? I know a number indicated they plan to read the
>> draft.
>>
>> Phil
>>
>> @independentid
>> www.independentid.com
>> phil.hunt at oracle.com
>>
>>
>>
>>
>>
>> On Jun 15, 2016, at 1:10 PM, Phil Hunt <phil.hunt at oracle.com> wrote:
>>
>> Please find attached, a draft proposal from Chuck Mortimore and myself on
>> using SCIM as an alternate endpoint for profile services in the context of
>> Connect.
>>
>> This specification defines:
>> a. Discovery metadata (scim_endpoint) indicating availability of a SCIM
>> Protocol base endpoint
>> b. Dynamic registration metadata (scim_profile) used to indicate a client
>> intends to use SCIM in addition to or instead of UserInfo
>> c. An additional ID Token claim (scim_id and scim_location) which
>> specifies the SCIM resource endpoint and identifier associated with the
>> authenticated subject.
>>
>> By doing this, clients can avoid having to do an external authorization
>> and another round of exchanges to access User profile information with full
>> CRUD features.
>>
>> Clients can also access SCIM’s more sophisticated query system to ask
>> questions if the authenticated user has particular conditions (e.g.
>> querying a sub-attribute such as “country” in the “addresses” attribute).
>>
>> As an example use case: A cloud provider wants to build a user-profile
>> self-service portal. OIDC does the authentication of the user and allows
>> the web service to access the CRUD features of SCIM for the updates.
>>
>> Phil
>>
>> @independentid
>> www.independentid.com
>> phil.hunt at oracle.com
>> <Draft: OpenID Connect Profile for SCIM Services.html>
>> <openid-connect-scim-profile-1_0.txt>
>>
>>
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
-- 
Nat Sakimura
Chairman of the Board, OpenID Foundation
Trustee, Kantara Initiative
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20160621/89e919d3/attachment.html>

More information about the general mailing list