[Openid-specs-ab] OpenID Provider Commands - proposed WG specification
Michael Schwartz
mike at gluu.org
Mon Feb 17 21:11:41 UTC 2025
Dick,
1. I don't really see the relationship between SCIM and SAML. Gluu
customers use SCIM to update all kinds of account information. Whether they
use SAML or OpenID depends on the RP. But I agree that more RPs support
SAML in B2B websites... it just seems like a non-sequitur.
2. You could in fact make a SCIM extension to send this kind of
information. For example, Gluu defined a FIDO SCIM extension because there
was no way to get a list of passkeys for a user, or to delete a user's lost
key.
3. Are you intending to specify that the RP will expose a non-SCIM stable
Internet facing backchannel web URL endpoint?
4. How would you protect this endpoint? SCIM left security out of scope.
And thus SCIM client libraries might or might not work, depending on how
they handle "OAuth" security.
5. So your solution does not want to support mobile or browser based
clients?
6. Per my post
<https://www.linkedin.com/posts/nynymike_token-status-list-activity-7295937395122655233-F7Rs?utm_source=share&utm_medium=member_desktop&rcm=ACoAAAArUy4Bb5Ha4b5n1mmyBhevew7nxXkSV14>
on Linkedin, I still think a pull based solution (i.e. based on OAuth
Status List) would be more lightweight. If you "push" messages, you will
need an RP endpoint or a long lived connection. Your spec could accomplish
all its goals by publishing a new kind of "Account JWT", and enabling the
RP to check the status of the JWT to see if anything changed. The advantage
of this is that the RP can get an update for **all** account tokens issued
by an OP at one time. Plus the status token is very small. Once the RP is
aware of the change, then it can interact with the OP, perhaps through an
authorization request to get updated userinfo. Also, no need to deal with
how to protect this very sensitive RP endpoint. One more thought... if
Google has a billion users, as an RP do I really need to know about all the
accounts that got compromised, even if they logged into my system only once
in the past? I'd rather just check the account status when I see the person
again.
So I'm agreeing with your idea, just not with your approach on how to solve
it :-)
- Mike
--------------------------------------
Michael Schwartz
Gluu
Founder/CEO
mike at gluu.org
https://www.linkedin.com/in/nynymike
--
*CONFIDENTIALITY NOTICE*
This message may contain confidential or
legally privileged information.
If you are not the intended recipient,
please immediately advise the sender by reply e-mail that you received this
message, and delete this e-mail from your system.
Thank you for your
cooperation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250217/e6ddf225/attachment.htm>
More information about the Openid-specs-ab
mailing list