[Openid-specs-ab] SCOPE not selectable
Preibisch, Sascha H
Sascha.Preibisch at ca.com
Mon Aug 17 18:50:45 UTC 2015
Thanks Justin!
I guess it comes down to a single IdP to implement it the way he wants to enable users to be in control. It seems to be difficult to get a general consent on this topic.
Thanks,
Sascha
From: Justin Richer <jricher at mit.edu<mailto:jricher at mit.edu>>
Date: Monday, August 17, 2015 at 10:01 AM
To: Sascha Preibisch <sascha.preibisch at ca.com<mailto:sascha.preibisch at ca.com>>
Cc: "openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net> Ab" <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Subject: Re: [Openid-specs-ab] SCOPE not selectable
The optionality and deselection of scopes is the purview of the IdP and its security policies. Some implementations of OIDC allow the user to deselect scopes (MITREid Connect, which I work on, does for instance) while others only allow for an overall yes/no approval (Google is like this, for instance).
The previous version of OpenID tried to have "optional' and "required" information sets with SREG and AX, but in both of these cases, RP's just sent everything as "required". The optionality was completely ignored in practice, and I suspect it would be again.
In OAuth and OIDC, if the client doesn't get the scopes it wants, it can ask again until the user gives up trying to make it work.
- Justin
On Aug 17, 2015, at 12:34 PM, Preibisch, Sascha H <Sascha.Preibisch at ca.com<mailto:Sascha.Preibisch at ca.com>> wrote:
Hi!
It may be an old topic but on the weekend I got a new Android phone and I attempted to install the LinkedIn and Twitter apps. Both apps requested about 10 permissions. Which I denied and therefore not installed.
I may be the only one who is annoyed by that but what is the reason why there is no effort in creating "optional" permissions? In the earlier development phase of OpenID Connect I joined a working group call and showed an example of an authorization page that required SCOPE "openid" but others were de-selectable by the resource owner. The others on that call did not appreciate that idea.
At IIW in March/ April 2014 Justin also mentioned the problem (what to do if requested SCOPE=LIVE KILL) but I do not see anyone addressing that or trying to change it.
Thanks for any thoughts on that,
Sascha
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150817/21031320/attachment.html>
More information about the Openid-specs-ab
mailing list