[Openid-specs-ab] Reserved member definitions

Roland Hedberg roland.hedberg at adm.umu.se
Tue Sep 20 06:39:42 UTC 2011


19 sep 2011 kl. 23:54 skrev John Bradley:

> I am sympathetic to the position. 
> 
> However without namespace support in JSON, we just end up adding extra characters to the reserved names for not much more than formal correctness.

Yeah, that is a serious limitation to JSON.

> The decision was to go for a fixed schema (implied namespace) and fully namespaces claims.

What do you mean with 'fully namespaces claims' ?

> Perhaps being clear that all of the reserved claim names have a implied namespace that is not included in the JSON itself.

That would be important in the future.

OpenID Connect comes from OpenID which I have understood as being geared towards individuals maintaining their net identity.
I've been think about what it would take to make OpenID Connect usable in an organization context or for that matter in the context of federations of organizations. Something which I'd like to see as in scope.

And the first thing I stumble across is the lack of/limited extensibility of the schema.
This is a major limitation.
There is just a matter of course that there isn't an organization out there that doesn't have at least one attribute that is specific to them (at least they think it is) that they just have to have in an identity provider for it to be usable in their context.
So having an implied namespace for the OpenID Connect attributes could we allow for 'fully qualified' attributes from other namespaces ?

For instance:

{
 "name": "Jane Doe"
 "given_name": "Jane",
 "family_name": "Doe",
 "email": "janedoe at example.com",
 "picture": "http://example.com/janedoe/me.jpg",
 "http://xmlns.com/foaf/0.1/title": "Ms"
}

-- Roland


More information about the Openid-specs-ab mailing list