[Openid-specs-ab] policy_uri perhaps needed in Core as well
Nat Sakimura
sakimura at gmail.com
Tue Mar 11 18:44:17 UTC 2014
Hi
I was writing an article about privacy related feature of OpenID Connect
and noticed that perhaps moving policy_uri to dynamic registration spec was
a mistake.
>From the point of view of the purpose specification, collection limitation
and data minimization, each data request should be as specific as possible.
That means, typically, there are multiple cases for a client, unless the
client is completely single purpose.
Considering this, perhaps the correct way was to do just like
redirect_uris. Let the client register multiple policy_uris and send a
policy_uri in the authorization request to pick one.
When one is using the request object, there are other ways of doing it, but
I thought that it may have been nicer to have the simple method as well.
Just my 2c.
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140312/866005ac/attachment.html>
More information about the Openid-specs-ab
mailing list