[Openid-specs-ab] Lite Draft 8

John Bradley ve7jtb at ve7jtb.com
Thu Aug 18 17:13:59 UTC 2011


To this point in OAuth  groups of resources/attributes are defined by scopes,  and users approve or deny a scope.  
An example of this is the Facebook Graph API.

With a single scope then IdP would have to ask users for permission to share email and address at every site even if they don't want it.

Without a way to only request the identifier the GSA probably will not approve a profile of Connect.

So we can make a single scope for all the attributes, but then we need to invent some way to signal that the RP docent want the attributes it is asking for in the default scope.
I think that is more complicated.

We do have a way in the full spec to ask for specific claims, but that only adds to the ones requested by the scopes.

John
On 2011-08-18, at 12:50 PM, Anthony Nadalin wrote:

> Wouldn’t/couldn’t that be part of the user consent for a fixed scema?
>  
> From: John Bradley [mailto:ve7jtb at ve7jtb.com] 
> Sent: Wednesday, August 17, 2011 5:20 PM
> To: Anthony Nadalin
> Cc: openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] Lite Draft 8
>  
> Yes but the question is how you ask for authorization.
>  
> If there is only one scope then you can't ask for a subset.  At least Facebook dosen't want to give email by default.  
>  
> I suspect that you are not arguing agains privacy, or consent.  So perhaps I am not understanding the question.
>  
> Are you asking for a single scope called openid that provides a id_token for the session info and an access token scoped for all of the users available attributes?
>  
> The current proposal is 4 scopes so that a RP just wanting to do SSO doesn't need to ask for permission to get the users name.
>  
> openID = User ID
> email  = email
> address = address
> profile = all remaining default attributes.
>  
> I think for interoperability we have to say something about the scopes for the user-info endpoint.
>  
> John
> On 2011-08-17, at 1:28 PM, Anthony Nadalin wrote:
> 
> 
> So why would you have to give back all the information? You get back all or any portion that you are authorized to access
>  
> From: John Bradley [mailto:ve7jtb at ve7jtb.com] 
> Sent: Tuesday, August 16, 2011 4:41 PM
> To: Anthony Nadalin
> Cc: openid-specs-ab at lists.openid.net
> Subject: Re: [Openid-specs-ab] Lite Draft 8
>  
> From a privacy point of view giving all of the information in the user-info endpoint all the time with only a single scope is not ideal.  
> Mike wanted to do that but have additional negative scope so that you could say you don't want things, but have the default be the common case.  
> This still requires defining multiple scopes.
>  
> We could just make openid the scope for the id_token.  However that makes interoperability for the user-info endpoint worse than AX if that is possible.
>  
> I wouldn't want to get rid of nonce or state for security reasons.  We could make those required for the profile and ditch prompt and display.
>  
> Other opinions?
>  
> On 2011-08-16, at 7:03 PM, Anthony Nadalin wrote:
> 
> 
> 
> 1.       3.1 Why is there any scope beyond “openid”, is this spec going to be continually updated whenever a new scope is added/changed, seems like a bad idea to have additional scopes in the spec
> 2.       3.2.1 Why have optional parameters, this should be basic (code and go)
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110818/d1bccbd2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110818/d1bccbd2/attachment-0001.p7s>


More information about the Openid-specs-ab mailing list