[Openid-specs-ab] scopes

John Bradley ve7jtb at ve7jtb.com
Fri Aug 19 15:44:09 UTC 2011


So that would be the same as the RP asking for all of the default user info parameters as optional. 

It would be up to the IdP and or user to determine what a RP gets, by default.

If the RP docent get a claim it needs then it would need to use the claims mechanism to request it specifically, by making a second request.

That could work. 

If the request object turns off the default claims then a RP only wanting a single claim like email could use the full profile.

Facebook and others currently use multiple scopes to control access to their user info like endpoints.
We need to see how they feel about this.

If all the IdP start making up there own scopes because they don't want to support claims then we have a interoperability issue.

Looking for feedback from Google and others.

John 

On 2011-08-18, at 9:31 PM, hideki nara wrote:

> John,
> 
> For simplicity in Lite, I think  RP should passively accept claims in
> the standard profile only the  end user has permitted.
> 
> If there is no claim what RP expected in the UserInfo,
> 1)  RP ask  the end user  to permit the claim at the OP and restart
> OpenID Connect Lite.
> or
> 2)  RP starts new OpenID Connect Standard session with a Request Object.
> 
> Current scope things are bit difficult for me to implement.
> ----
> hdknr
> 
> 2011/8/2 John Bradley <ve7jtb at ve7jtb.com>:
>> There are basically two options for scopes.
>> 
>> Option 1
>> openid          id_token
>> user-info       default user info less email and address
>> email           email
>> address         address
>> 
>> So to get just email & id_token you ask for "openid email"
>> 
>> 
>> Option 2
>> openid          id_token & user-info less email & address
>> email           email
>> address         address
>> no-default-information  This in conjunction with openid would only give you the id_token info
>> 
>> So to get just email & id_token you ask for "openid email no-default-information"
>> 
>> Talking to Breno not asking for a access token doesn't look like a good option.
>> 
>> We need to support asking for nothing or just email for some applications.
>> 
>> John
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
>> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110819/078ed4a5/attachment.p7s>


More information about the Openid-specs-ab mailing list