[Openid-specs-ab] Attribute Exchange w/ OpenID Connect?
Torsten Lodderstedt
torsten at lodderstedt.net
Sun Mar 15 17:03:11 UTC 2015
Hi Eve, Nat,
thanks for your advice.
Our current implementation uses a constant "identifier" with a value of
"anonymous".
kind regards,
Torsten.
Am 11.03.2015 um 14:06 schrieb Nat Sakimura:
> Hi Torsten,
>
> Not sure how it went but like I said before, ephemeral identifier is
> perfectly legal in OpenID Connect.
>
> It is just the matter of asking for it, and I suggested using ACR for it.
>
> The resulting sub/user_id is going to be one time only - anonymous
> identifier.
> That's how an attribute based credential should be created using
> OpenID Connect.
>
> Perhaps we should write a mini-spec / I-D so that we can register the
> value "anonymous" to the registry.
>
> Nat
>
> On Wed, Mar 11, 2015 at 9:57 PM Eve Maler <eve at xmlgrrl.com
> <mailto:eve at xmlgrrl.com>> wrote:
>
> Hi Torsten-- N.B.: I don't think I have posting privileges on this
> list; not sure if the moderator let my previous note through, or
> if you'll see it simply because I'm sending it directly to you as
> well...
>
> As long as the identifier coming from the IdP is "directed" (in
> OpenID-speak), meaning it makes a different federated identifier
> for each RP so that multiple RPs can't collude to identify the
> user on the basis of the IDs they've been given, then that's one
> issue taken care of. The next issue is whether the identifier
> itself reveals anything about the user. It's possible to create
> "directed identities" that are revealing -- e.g.,
> bob+rp1 at gmail.com <mailto:bob+rp1 at gmail.com>, bob+rp2 at gmail.com
> <mailto:bob+rp2 at gmail.com>... But the usual intent with federated
> identifiers is to make them non-revealing, e.g.
> "randomstring6234sdfd345" for RP1, etc. Making them explicitly
> transient as well as pseudonymous also limits the temporal scope
> of their usefulness, which helps avoid the trap of internal
> correlation at the RP or collusion with others over time as the
> pseudonym ages. In SAML, the assumption is that the temporal scope
> limitation is session-length, to at least allow for things like
> single logout while protecting against cross-session correlation.
>
> FWIW,
>
> Eve
>
> On 1 Dec 2012, at 7:26 AM, Torsten Lodderstedt
> <torsten at lodderstedt.net <mailto:torsten at lodderstedt.net>> wrote:
>
>> Hi Eve,
>>
>> thanks for pointing this out. At first glance it seems to be
>> feasable although I honestly don't know whether such an
>> identifier would conflict with the OIDC semantics.
>>
>> To give you more context: I'm looking for a way to "just" assert
>> a boolean claim to the RP. The use case, I'm currently
>> investigating, is age verification. The RP wants the OP to attest
>> whether the user is above 18. There is no session between RP and
>> OP and the OP will typically not disclose any further data. I
>> would prefer to realize this without the need to make up an
>> identifier just to fulfill the protocol requirements.
>>
>> regards,
>> Torsten.
>>
>>
>>
>> Eve Maler <eve at xmlgrrl.com <mailto:eve at xmlgrrl.com>> schrieb:
>>
>> This sounds just like the justification for SAML's transient pseudonyms -- good only for the current session, handy for cases where the RP needs some sort of unique "handle" for internal user/session management, and useful for session timeouts or single logout a bit later on.
>>
>> Eve
>>
>> On 30 Nov 2012, at 8:19 AM, Torsten Lodderstedt <torsten at lodderstedt.net <mailto:torsten at lodderstedt.net>> wrote:
>>
>> We don't want the RP to track the user. So we would need
>> to issue different user_id for every request. But I don't
>> think is fit into the Connect philosophy. regards,
>> Torsten. Am 30.11.2012 17:11, schrieb Justin Richer:
>>
>> Would using pairwise identifiers make this work? --
>> Justin On 11/30/2012 11:09 AM, Torsten Lodderstedt
>> wrote:
>>
>> Hi, in some cases we want to provide RPs with
>> attributes but no user_id, which is similar to
>> AX. How can this be realized in Connect? The
>> scope value "openid" activates the OpenID mode at
>> the AS but it also requests access to the user_id
>> Claim. If we do not want to disclose a user_id,
>> does this mean we need to define a new, distinct
>> scope for our use case, e.g. "attribute_x"?
>> regards, Torsten.
>> ------------------------------------------------------------------------
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>> ------------------------------------------------------------------------
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>>
>> Eve Malerhttp://www.xmlgrrl.com/blog
>> +1 425 345 6756http://www.twitter.com/xmlgrrl
>>
>>
>
>
> Eve Maler http://www.xmlgrrl.com/blog
> +1 425 345 6756 http://www.twitter.com/xmlgrrl
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> <mailto:Openid-specs-ab at lists.openid.net>
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150315/0e7d6ed9/attachment.html>
More information about the Openid-specs-ab
mailing list