[Openid-specs-ab] OpenID Provider Commands - proposed WG specification
Dick Hardt
dick.hardt at gmail.com
Thu Jan 30 15:48:50 UTC 2025
On Thu, Jan 30, 2025 at 1:03 PM Vladimir Dzhuvinov / Connect2id <
vladimir at connect2id.com> wrote:
> Hi Dick,
> On 23/01/2025 16:52, Dick Hardt wrote:
>
> Hi Vladimir
>
> By "enterprise app" are you referring to internal apps, or a B2B SaaS app?
> Internal apps can have direct access to the directory in many cases, so I'm
> assuming you are referring to B2B SaaS apps.
>
> Both actually. In those cases when we dealt with internal apps to be
> integrated via OIDC, the aim was to regulate access to the user data via
> the OpenID provider, and close off LDAP access.
>
Got it. It is common to use the same mechanism internally and externally to
provide a clear separation of concerns.
> What I like about the "Commands" is that it may simplify the necessary
> dealings for apps to be GDPR compliant. Managing that via the OIDC layer
> looks appealing.
>
Glad to hear! Would you elaborate on what aspect of GDPR compliance you are
thinking OIDC can help with?
> In my experience, an app needs to have a robust DB of user data. The OP
> knows when the data changes, so can push to the RP whenever there is a
> change, To ensure there the data is in sync in case a command was missed or
> something, the OP occasionally can send a tenant_audit command to ensure
> the RP has what the OP thinks it should have.
>
> The task to supply user data in an app, in a persistent and
> well-structured fashion, looks easier when that's built on top of a RESTful
> resource.
>
I think you just described SCIM.
> Rather than on incoming RPC. App developers are more comfortable with
> RESTful resources and there is more available software to deal with that.
>
The RP endpoint is a webhook. A deployment model developers are familiar
with. There are plenty of libraries to verify a JWT which is what is passed.
> An OP resource for the accounts and tenants will not make the JWTs to
> notify of state changes redundant. They'd still be useful to tell the RP
> to update its state.
>
Setting up and managing the authentication between parties is one of the
complexities of SCIM (which does not specify how to do it), and one of the
areas OP Commands simplifies by reusing the mechanisms used for ID Tokens.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250130/955c4447/attachment-0001.htm>
More information about the Openid-specs-ab
mailing list