[Openid-specs-ab] OpenID Provider Commands - proposed WG specification

Thu Jan 16 17:50:43 UTC 2025

Adding to Aaron's comments.

The account and tenant information is all managed by the OP, and the OP
knows when it changes, so the OP knows when to push the changes to the RP.
Telling the RP to pull the data seems inefficient, and this approach allows
the RP to be passive and receive data when it changes.

But perhaps I am missing something in our suggestions. Can you elaborate on
why you are suggesting that and what the advantages might be?

Related: Karl and I have pondered how can the RP tell the OP it wants the
metadata again. One approach would be the OP provides that functionality in
its RP management console.

On Thu, Jan 16, 2025 at 2:27 PM Aaron Parecki via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Vladimir, I understand the thought behind this suggestion, but I think it
> only adds unnecessary complexity.
>
> The value of this draft comes from leveraging the existing relationship
> and configuration between the RP and IdP, namely that the RP is necessarily
> already configured to validate signed ID tokens, and this draft builds on
> that to send signed tokens with the same signing key so that there isn't
> another credential to configure and maintain.
>
> Alternatively, making the RP fetch the data means forcing the RP to
> maintain an access token, defining an API request and response vocabulary,
> defining endpoint discovery for the API, etc, much more work on both ends
> for little benefit.
>
> Aaron
>
>
>
> On Thu, Jan 16, 2025 at 4:00 AM Vladimir Dzhuvinov / Connect2id via
> Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>
>> Dick, Karl, hi.
>>
>> Interesting draft.
>>
>> I'm wondering whether the messaging and the overall architecture could be
>> simplified by sending simple "state changed" JWTs from OP to RP. Instead of
>> "command+data" JWTs.
>>
>>    - The "account" and "tenant" are protected resources at the OP.
>>
>>    - The "account" and "tenant" resources have a clearly designated
>>    current state / status, e.g. "active".
>>
>>    - If the state changes the OP sends a "state changed" JWT.
>>
>>    - The RP can always check / poll the resource (for changes, or if it
>>    suspects a missed JWT). Cache headers could be used to hint when to recheck.
>>
>>    - The resource may provide a history of the changes.
>>
>>
>>    -
>>
>>
>> Vladimir Dzhuvinov
>>
>> On 15/01/2025 14:29, Dick Hardt via Openid-specs-ab wrote:
>>
>> Hello WG (and chairs)
>>
>> Karl (cc'ed) and I have been working on a new protocol that complements
>> OpenID Connect for an OP to centrally manage account lifecycles at RPs. We
>> have also defined an Unauthorize Command which undoes whatever actions an
>> RP did in a previous OpenID Connect login -- useful if an OP suspects an
>> account or device had been compromised -- instructs an RP to "kill all the
>> sessions and tokens"
>>
>> We contribute the IP in the attached HTML and Markdown files to the
>> OpenID Foundation per the Foundations IPR.
>>
>> We have a FAQ as a note at the top, that I am including below for your
>> convenience.
>>
>> We hope this work is of interest to others in the WG, and that together
>> we can improve the security posture of implementers.
>>
>> /Dick & Karl
>>
>> *1. How does SCIM compare to OpenID Provider (OP) Commands?*
>>
>> The SCIM protocol is a general purpose protocol for a client to manage
>> resources at a server. When the SCIM protocol is used between an IdP and an
>> RP, the schema is defined by the RP. The resources managed are in the
>> context of the RP Tenant in a multi-tenant RP. Any extensions to the schema
>> are defined by the RP. This provided an interoperable protocol to manage RP
>> resources. OpenID Provider Commands are an extension of a user Account
>> created by OpenID Connect. It uses the same identity Claims that the OP
>> issues for the user. It uses the same token Claims, and is verified the
>> same way. OpenID Provider Commands are issued in the context of the OP
>> Tenant in a multi-tenant OP.
>>
>> *2. How do Shared Signals / RISC compare to OpenID Provider Commands?*
>>
>> Shared Signals and RISC are events that one party is sharing with another
>> party. The actions a receiving party takes upon receiving a signal are
>> intentionally not defined. The actions taken by the RP when receiving an
>> OpenID Provider Command is specified. This gives an OP control over the
>> Account at the RP.
>>
>> *3. Are OpenID Provider Commands a replacement for SCIM, Shared Signals,
>> or RISC?*
>>
>> No. These standards are deployed by organizations that have complex
>> requirements, and these standards meet there needs. Most OP / RPs do not
>> deploy any of these standards, as the implementation complexity is not
>> warranted. OpenID Provider Commands are designed to build on OpenID
>> Connect, allowing RPs using OpenID Connect an easy path to offer OPs a
>> standard API for security and lifecycle operations.
>>
>> *4. Why are there only groups? Why not roles and entitlements?*
>>
>> OpenID Provider Commands are used to project the Tenant data managed
>> centrally by the OP. Groups are a common term used by OPs to manage a
>> collection of Accounts. The terms roles and entitlements tend to be RP
>> specific. Generally, groups from the OP will be mapped to roles and/or
>> entitlements that are RP specific, at the RP.
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttps://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250116/6cc84e94/attachment-0001.htm>