[Openid-specs-ab] UserInfoEndpoint, ClaimsEndpoint, Discovery, and friends

Nat Sakimura sakimura at gmail.com
Wed May 4 13:15:07 UTC 2011 

Sorry for not responding to this mail earlier. Somehow, it went to Gmail
spam box...

My suggestion to this is to first separate the claims endpoint registration
issues and claims request/response. The later is much easier to tackle than
the former. I would suggest that we leave the former out of scope for the
time being - i.e., let it be a manual process for now.

For the later:

Ask claims by including the following in the request.

- General Purpose Statement
- Requester description (ID, Display Name)
- Jurisdiction of the requester
- ToS text / Link
- List of claims.

e.g.,

{
    "purpose":"To reserve the room at the hotel premise. To contact you with
regard to this booking. ",
    "requester":"Ex Hotel Holdings, KK.",
    "jurisdiction":"JP",
    "tos":"https://hotel.example.com/tos.html",
    "claims":{
        "schema":"ABC_Default",
        "email":"",
        "phone":"",
        "name":"",
        "address":""
    }
}

Response would then look like:

{
    "email":"alice at wonderla.nd",
    "phone":"+81(3)1234-5678",
    "name":"Alice de Wonderland",
    "address":{
        "endpoint":"https://checkout.example.com/",
        "access_token":"afjs0fjd"}
}

OR

{
    "email":"alice at wonderla.nd",
    "phone":"+81(3)1234-5678",
    "name":"Alice de Wonderland",
    "access_tokens":[
        {
            "claim_type":"address",
            "endpoint":"https://checkout.example.com/",
            "access_token":"afjs0fjd"
        }
    ]
}

=nat

On Sat, Apr 23, 2011 at 6:03 AM, Breno de Medeiros <breno at google.com> wrote:

> There was much discussion in the most recent call about where we fit
> the UserInfoEndpoint, the ClaimsEndpoint, etc.
>
> The current proposal is to have the UserInfoEndpoint return user
> attributes as asserted by the Identity Provider/Server and have a
> separate endpoint that can be queried about claims that the IDP has
> aggregated. Chuck provided a concrete example in use by SalesForce,
> and there are also some industry efforts to use address claims issued
> by national entities in various countries.
>
> If the claims and services are to be obtained through 4th parties
> (i.e., not aggregated by the IDP but directly fetched from other
> parties) then how do we discover where to find the services/claim
> providers (and probably obtain a token for them at the same time)?
>
> I am not sure yet that we have a proposal that is both simple enough
> and flexible enough to satisfy known use cases. A possible topic of
> discussion for next meeting?
>
> --
> --Breno
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>



-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110504/5cfdc1ce/attachment.html>

More information about the Openid-specs-ab mailing list