[Openid-specs-ab] "claims" in the Client Registration Spec?

Mike Jones Michael.Jones at microsoft.com
Wed Aug 12 18:48:23 UTC 2015


It depends upon the trust relationship between the signer and the server, if any.

Maybe you could write proposed spec language precisely describing the semantics you're after.  That could help make this discussion more concrete.

For instance, that would help us distinguish between "requested claims", "entitled claims", and "required claims" semantics.

Best wishes,
-- Mike
________________________________
From: Torsten Lodderstedt<mailto:torsten at lodderstedt.net>
Sent: ‎8/‎12/‎2015 2:35 PM
To: Mike Jones<mailto:Michael.Jones at microsoft.com>; John Bradley<mailto:ve7jtb at ve7jtb.com>
Cc: OpenId Connect List<mailto:openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] "claims" in the Client Registration Spec?

you could call it so - but doesn't nearly any claim in the context of
software statements change its semantics into "entitled to .." e.g.
grant types or response types or redirect uris?

Am 12.08.2015 um 20:25 schrieb Mike Jones:
> So what you're really after is an entitled_claims statement - correct?
>
> -----Original Message-----
> From: Torsten Lodderstedt [mailto:torsten at lodderstedt.net]
> Sent: Wednesday, August 12, 2015 2:21 PM
> To: Mike Jones; John Bradley
> Cc: OpenId Connect List
> Subject: Re: [Openid-specs-ab] "claims" in the Client Registration Spec?
>
> Hi Mike,
>
> pls. see my answer to John's posting. This is about entitlement of the particular RP to get access to certain claims.
>
> kind regards,
> Torsten.
>
> Am 12.08.2015 um 04:40 schrieb Mike Jones:
>> What meaning were you thinking of for this list?  Are you thinking of the RP making a statement at registration time that it is going to ignore any but the listed claims?  That would probably be harmless, but I'm not sure what good it would really do.
>>
>> On the other hand, I don't think it's reasonable to try to tell the server that it may not send claims other than those listed.  In Connect Core, we intentionally allow servers to return what claims they see fit, both for simplicity and privacy reasons.
>>
>>                               -- Mike
>>
>> -----Original Message-----
>> From: John Bradley [mailto:ve7jtb at ve7jtb.com]
>> Sent: Tuesday, August 11, 2015 4:08 PM
>> To: Torsten Lodderstedt
>> Cc: Mike Jones; OpenId Connect List
>> Subject: Re: [Openid-specs-ab] "claims" in the Client Registration Spec?
>>
>> So these wold be default claims, or a filter that prevents more than the listed claims from coming back.
>>
>> How do you see this interacting with scopes?
>>
>>
>>> On Aug 11, 2015, at 8:32 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>>>
>>> Hi Mike,
>>>
>>> as you are in the process of producing eratas of the OIDC specs, I would like to raise a question regarding client registration we came up with in the MODRNA WG. Right now, the RP may restrict itself to certain grant and response types. We see the need to do the same for claims. Would you consider it a reasonable enhancement of the Client Registration spec to add something like "claims" to the registration spec? I consider it complementary to "claims_supported" as specified in the discovery spec.
>>>
>>> kind regards,
>>> Torsten.
>>>
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2flists
>>> .openid.net%2fmailman%2flistinfo%2fopenid-specs-ab&data=01%7c01%7cMic
>>> hael.Jones%40microsoft.com%7cee28fe3d74384ed9d9c708d2a342ce96%7c72f98
>>> 8bf86f141af91ab2d7cd011db47%7c1&sdata=XZkx8tBJLM1x%2fApqIi5p6V%2bkTG%
>>> 2bLbw5wBPVkPAK4szw%3d

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150812/d47f3d10/attachment-0001.html>


More information about the Openid-specs-ab mailing list