[Openid-specs-ab] domains claim (Re: Review of OpenID Provider Commands (draft 00))

[Dick Hardt]

breaking into separate thread

On Wed, Mar 12, 2025 at 10:53 PM Andrii Deinega <andrii.deinega at gmail.com>
wrote:

> On Wed, Mar 12, 2025 at 2:25 PM Dick Hardt <dick.hardt at gmail.com> wrote:
>
>> On Wed, Mar 12, 2025 at 8:47 PM Andrii Deinega <andrii.deinega at gmail.com>
>> wrote:
>>
> <snip>

>
>
>>> 4. I don't think I clearly understand what's the goal of claim "domains"
>>> in section "6.1 Metadata Command". If they are vendor specific, I'd suggest
>>> removing them from the spec altogether. It shouldn't be an issue to add
>>> them, as well as other claims, if a particular implementation / vendor
>>> needs them.
>>>
>>
>> These are DNS domains controlled by the tenant, and are a common way for
>> an RP to determine if accounts belong to the same organization.
>>
>
> What you described seems to be vendor specific details. I never said they
> aren't needed, these details simply don't necessarily need to be part of
> the spec.
>

Why would domains be vendor specific?

It is optional, so only implementations that provide verified domains would
include it. Both Microsoft and Google provide verified domains, so it is
pretty commonly used out in the wild.

We specify it to enable interop rather than different vendors picking a
different claim name with potentially different semantics.

It is an array, as a list of domains is not uncommon.

For example, after Salesforce acquired Slack, the OP for salesforce.com
might provide metadata that included:

"domains":["salesforce.com","slack.com"]

to tell the RP that it wants to be authoritative for users from either of
those domains

Does that make more sense to you?

/Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250313/1399f382/attachment.htm>