[Openid-specs-ab] OpenID Provider Commands - proposed WG specification

Wed Jan 15 12:29:44 UTC 2025

Hello WG (and chairs)

Karl (cc'ed) and I have been working on a new protocol that complements
OpenID Connect for an OP to centrally manage account lifecycles at RPs. We
have also defined an Unauthorize Command which undoes whatever actions an
RP did in a previous OpenID Connect login -- useful if an OP suspects an
account or device had been compromised -- instructs an RP to "kill all the
sessions and tokens"

We contribute the IP in the attached HTML and Markdown files to the OpenID
Foundation per the Foundations IPR.

We have a FAQ as a note at the top, that I am including below for your
convenience.

We hope this work is of interest to others in the WG, and that together we
can improve the security posture of implementers.

/Dick & Karl

*1. How does SCIM compare to OpenID Provider (OP) Commands?*
<#section-1-1.2>

The SCIM protocol is a general purpose protocol for a client to manage
resources at a server. When the SCIM protocol is used between an IdP and an
RP, the schema is defined by the RP. The resources managed are in the
context of the RP Tenant in a multi-tenant RP. Any extensions to the schema
are defined by the RP. This provided an interoperable protocol to manage RP
resources. OpenID Provider Commands are an extension of a user Account
created by OpenID Connect. It uses the same identity Claims that the OP
issues for the user. It uses the same token Claims, and is verified the
same way. OpenID Provider Commands are issued in the context of the OP
Tenant in a multi-tenant OP. <#section-1-1.3>

*2. How do Shared Signals / RISC compare to OpenID Provider Commands?*
<#section-1-1.4>

Shared Signals and RISC are events that one party is sharing with another
party. The actions a receiving party takes upon receiving a signal are
intentionally not defined. The actions taken by the RP when receiving an
OpenID Provider Command is specified. This gives an OP control over the
Account at the RP. <#section-1-1.5>

*3. Are OpenID Provider Commands a replacement for SCIM, Shared Signals, or
RISC?* <#section-1-1.6>

No. These standards are deployed by organizations that have complex
requirements, and these standards meet there needs. Most OP / RPs do not
deploy any of these standards, as the implementation complexity is not
warranted. OpenID Provider Commands are designed to build on OpenID
Connect, allowing RPs using OpenID Connect an easy path to offer OPs a
standard API for security and lifecycle operations. <#section-1-1.7>

*4. Why are there only groups? Why not roles and entitlements?*
<#section-1-1.8>

OpenID Provider Commands are used to project the Tenant data managed
centrally by the OP. Groups are a common term used by OPs to manage a
collection of Accounts. The terms roles and entitlements tend to be RP
specific. Generally, groups from the OP will be mapped to roles and/or
entitlements that are RP specific, at the RP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250115/7b8c5b2c/attachment-0001.htm>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250115/7b8c5b2c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openid-provider-commands-1_0-00.md
Type: application/octet-stream
Size: 39023 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250115/7b8c5b2c/attachment-0001.obj>