[Openid-specs-ab] nested groups (was: Review of OpenID Provider Commands (draft 00))
Dick Hardt
dick.hardt at gmail.com
Thu Mar 13 20:55:51 UTC 2025
On Thu, Mar 13, 2025 at 8:01 PM Andrii Deinega <andrii.deinega at gmail.com>
wrote:
> Dick, you've clarified my suggestion,and provided a good example.
>
Yeah!
>
> > nesting groups would then only be allowed in the metadata command?
>
> That's correct.
>
> Karl, while I agree with all your points, my suggestion was to use
> something a bit better than a flat list of groups in the metadata, not in
> any other places. This information makes a lot of sense, at least for me;
> an RP has a better understanding of how groups are structured, that also
> allows to build hierarchy queries like "I'd like to get all members in the
> staff group.". It could be yet another nice thing that the OP Commands
> brings to the table, and I'll leave it up to the WG what to do with it next.
>
As Karl alluded to, but I will call out explicitly, exposing the group
structure to the RP may be considered over sharing from the enterprise
security team.
It is an interesting idea though, thanks for the proposal. Let's see what
others have to say!
/Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250313/b65f4bea/attachment.htm>
More information about the Openid-specs-ab
mailing list