<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class="">A question I received was about the apparent multiple ways to access a SCIM resource through the profile. In part this is because SCIM offers multiple ways in REST. But also using the “/Me” path follows the pattern similar to Connect for the UserInfo endpoint. “/Me” is just the SCIM equivalent.</div><div class=""><br class="">It is also important to remember that while Connect “sub” and SCIM “id” may be similar in format, it will often be true that the values are unique and distinct. One identifier refers to the authentication context, while the other identifier refers to the SCIM profile context.</div><div class=""><br class=""></div><div class="">So for backwards compatibility reasons, the thinking is not to force the two identifiers to be the same and to define “scim_id” to allow the client to use “sub” with OIDC protocol and “scim_id” with SCIM protocol.</div><div class=""><br class=""></div><div class=""><div class="">Phil</div><div class=""><div class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><span class="Apple-style-span" style="border-collapse: separate; line-height: normal; border-spacing: 0px;"><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class=""><div class=""><div class=""><br class=""></div><div class="">@independentid</div><div class=""><a href="http://www.independentid.com" class="">www.independentid.com</a></div></div></div></div></span><a href="mailto:phil.hunt@oracle.com" class="" style="orphans: 2; widows: 2;">phil.hunt@oracle.com</a></div><div class=""><br class=""></div></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Jun 21, 2016, at 9:32 AM, Phil Hunt <<a href="mailto:phil.hunt@oracle.com" class="">phil.hunt@oracle.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><meta http-equiv="Content-Type" content="text/html charset=utf-8" class=""><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Thanks Erik, found it (for some reason Facebook never notified me).<div class=""><br class=""></div><div class="">Using the “/Me” follows the pattern used by Connect for the UserInfo endpoint. “/Me” is just the SCIM equivalent.</div><div class=""><br class=""></div><div class="">However, in the broader use, we had some discussion that clients may want to know the actual id and location for the authenticated user for other reasons. That said, we might argue that the client must actually do a scim get to the “/Me” endpoint to actually obtain the authenticated user’s id and resource location. </div><div class=""><br class=""></div><div class=""><div class="">
<div style="letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><span class="Apple-style-span" style="border-collapse: separate; line-height: normal; border-spacing: 0px;"><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class=""><div class=""><div class="">Phil</div><div class=""><br class=""></div><div class="">@independentid</div><div class=""><a href="http://www.independentid.com/" class="">www.independentid.com</a></div></div></div></div></span><a href="mailto:phil.hunt@oracle.com" class="" style="orphans: 2; widows: 2;">phil.hunt@oracle.com</a></div><div class=""><br class=""></div></div><br class="Apple-interchange-newline"></div><br class="Apple-interchange-newline"><br class="Apple-interchange-newline">
</div>
<br class=""><div class=""><blockquote type="cite" class=""><div class="">On Jun 21, 2016, at 9:19 AM, Erik Wahlström <<a href="mailto:erik@wahlstromstekniska.se" class="">erik@wahlstromstekniska.se</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hi Phil,<div class="">Did you get my 2 minute review? I sent it over facebook (that´s right :)) to make sure that the review was my me acting as an individual, not from my company.</div><div class="gmail_extra">/ Erik</div><div class="gmail_extra"><br class=""><div class="gmail_quote">On Tue, Jun 21, 2016 at 6:13 PM, Phil Hunt <span dir="ltr" class=""><<a href="mailto:phil.hunt@oracle.com" target="_blank" class="">phil.hunt@oracle.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word" class="">Any comments or feedback? I know a number indicated they plan to read the draft.<div class=""><br class=""><div class="">
<div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class=""><div style="letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; word-wrap: break-word;" class=""><div class=""><span style="border-collapse:separate;line-height:normal;border-spacing:0px" class=""><div style="word-wrap:break-word" class=""><div class=""><div class=""><div class="">Phil</div><div class=""><br class=""></div><div class="">@independentid</div><div class=""><a href="http://www.independentid.com/" target="_blank" class="">www.independentid.com</a></div></div></div></div></span><a href="mailto:phil.hunt@oracle.com" target="_blank" class="">phil.hunt@oracle.com</a></div><div class=""><br class=""></div></div><br class=""></div><br class=""><br class="">
</div>
<br class=""><div class=""><blockquote type="cite" class=""><div class=""><div class="h5"><div class="">On Jun 15, 2016, at 1:10 PM, Phil Hunt <<a href="mailto:phil.hunt@oracle.com" target="_blank" class="">phil.hunt@oracle.com</a>> wrote:</div><br class=""></div></div><div class=""><div class=""><div class="h5"><div style="word-wrap:break-word" class="">Please find attached, a draft proposal from Chuck Mortimore and myself on using SCIM as an alternate endpoint for profile services in the context of Connect.<div class=""><br class=""></div><div class="">This specification defines:</div><div class="">a. Discovery metadata (scim_endpoint) indicating availability of a SCIM Protocol base endpoint</div><div class="">b. Dynamic registration metadata (scim_profile) used to indicate a client intends to use SCIM in addition to or instead of UserInfo</div><div class="">c. An additional ID Token claim (scim_id and scim_location) which specifies the SCIM resource endpoint and identifier associated with the authenticated subject.</div><div class=""><br class=""></div><div class="">By doing this, clients can avoid having to do an external authorization and another round of exchanges to access User profile information with full CRUD features.</div><div class=""><br class=""></div><div class="">Clients can also access SCIM’s more sophisticated query system to ask questions if the authenticated user has particular conditions (e.g. querying a sub-attribute such as “country” in the “addresses” attribute). </div><div class=""><br class=""></div><div class="">As an example use case: A cloud provider wants to build a user-profile self-service portal. OIDC does the authentication of the user and allows the web service to access the CRUD features of SCIM for the updates.</div><div class=""><br class=""></div><div class=""><div class="">
<div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div class=""><span style="border-collapse:separate;line-height:normal;border-spacing:0px" class=""><div style="word-wrap:break-word" class=""><div class=""><div class=""><div class="">Phil</div><div class=""><br class=""></div><div class="">@independentid</div><div class=""><a href="http://www.independentid.com/" target="_blank" class="">www.independentid.com</a></div></div></div></div></span><a href="mailto:phil.hunt@oracle.com" target="_blank" class="">phil.hunt@oracle.com</a></div><div class=""></div></div></div></div></div></div></div></div><span class=""><span class=""><Draft: OpenID Connect Profile for SCIM Services.html></span><div style="word-wrap:break-word" class=""><div class=""><div class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div class=""></div></div></div></div></div></div><span class=""><openid-connect-scim-profile-1_0.txt></span><div style="word-wrap:break-word" class=""><div class=""><div class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;word-wrap:break-word" class=""><div class=""></div></div><br class=""></div><br class=""><br class="">
</div>
<br class=""></div></div>_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" class="">Openid-specs-ab@lists.openid.net</a><br class=""><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class=""></span></div></blockquote></div><br class=""></div></div><br class="">_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class="">
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank" class="">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
<br class=""></blockquote></div><br class=""></div></div>
</div></blockquote></div><br class=""></div></div></div></blockquote></div><br class=""></div></div></body></html>