[Openid-specs-ab] Identifiers
Mike Jones
Michael.Jones at microsoft.com
Mon Dec 27 19:57:38 UTC 2010
Shouldn't the canonical form of identifiers using e-mail address syntax be either a mailto: or acct: URI?
-- Mike
-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of John Bradley
Sent: Monday, December 27, 2010 6:16 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Identifiers
We have had several discussions about the new connect type identifier format proposed by David being more SAML like (His idea).
This would break it into two parts.
1: IdP identifier (Issuer/EntityID)
2: LocalID (Subject)
The question was around if they should be formatted LocalID at IdP or as two elements to save parsing.
One question is when you have a attribute provider (3rd party protected resource) and it returns a JWT for the Subject based on a IdP supplied access token.
We need to specify the Issuer of the JWT separately from the Issuer of the original Identity assertion.
If we are going to allow 3rd parties to make assertions about subjects having a fully qualified name format may be a useful thing.
I don't think in our discussion at FaceBook we had a good reason to keep a fully qualified name format.
I am now leaning in favour of the localID at IdP format being included in all assertions and the older URL format being included for backwards compatibility.
Are there any opinions about having something like a optional "name Identifier format" element so we could say explicitly if the identifier is PPID or something else?
Hope everyone had a good Christmas.
We need to get rolling with this in the New Year.
John B.
More information about the Openid-specs-ab
mailing list