[Openid-specs-ab] "claims" in the Client Registration Spec?

George Fletcher gffletch at aol.com
Thu Aug 13 22:33:52 UTC 2015


Thanks for the background Torsten! That makes sense.

It still seems to me that if the claims are authorized by the central 
entity, then they need to be "signed" by the central entity so that the 
OP knows the RP didn't just put whatever they want in the list. As 
"trust frameworks" mature, I think this will be a more common use case.

Thanks,
George

On 8/13/15 4:36 PM, Torsten Lodderstedt wrote:
> Hi Georg,
>
> our assumption in MODRNA/Mobile Connect is that developers/partners 
> register with a certain mobile operator or a central entity (provided 
> by GSMA) and gets access to a number of OPs (provided by different 
> mobile operators). Given this assumptions, an OP belonging to this 
> ecosystem will trust software statements issued by the respective 
> entities. So OPs effectively outsource partner validation and 
> approval. This will require common standards agreed among all members 
> of the ecosystem.
>
> kind regards,
> Torsten.
>
> Am 13. August 2015 12:20:55 MESZ, schrieb George Fletcher 
> <gffletch at aol.com>:
>
>     Agreed it's a different container... but to me the semantics of
>     the container matter. The software statement is likely signed by a
>     third party while the registration parameters (while maybe signed)
>     are kind of "self asserted". As an AS, what I really need to know
>     is "who" is making the request and then base the entitled claims
>     on that more so than what's presented.
>
>     Would you want to delegate to a partner the ability for them to
>     specify which claims their clients can obtain without any
>     "oversight" from the AS perspective?
>
>     Thanks,
>     George
>
>     On 8/12/15 2:37 PM, Torsten Lodderstedt wrote:
>>     I don't distinguish claims in the registration request and in the
>>     software statement. It's just a different "container".
>>
>>     Am 12.08.2015 um 20:32 schrieb George Fletcher:
>>>     If these are claims the RP is entitled to receive, how does the
>>>     AS verify that claim? Shouldn't that data be in the Software
>>>     Statement rather than in the client reg parameters? I'm probably
>>>     missing something :)
>>>
>>>     Thanks,
>>>     George
>>>
>>>     On 8/12/15 2:19 PM, Torsten Lodderstedt wrote:
>>>>     good point. I would assume this is the list of claims the RP is
>>>>     entitled to get access to. I think it doesn't matter whether
>>>>     the RP asks for the claim via scopes or claims parameter.
>>>>
>>>>     Entitlement is given by the authority, which issued the
>>>>     software statement, the RP wants to register with.
>>>>
>>>>     Am 12.08.2015 um 01:07 schrieb John Bradley:
>>>>>     So these wold be default claims, or a filter that prevents
>>>>>     more than the listed claims from coming back.
>>>>>
>>>>>     How do you see this interacting with scopes?
>>>>>
>>>>>
>>>>>>     On Aug 11, 2015, at 8:32 AM, Torsten Lodderstedt
>>>>>>     <torsten at lodderstedt.net> wrote:
>>>>>>
>>>>>>     Hi Mike,
>>>>>>
>>>>>>     as you are in the process of producing eratas of the OIDC
>>>>>>     specs, I would like to raise a question regarding client
>>>>>>     registration we came up with in the MODRNA WG. Right now, the
>>>>>>     RP may restrict itself to certain grant and response types.
>>>>>>     We see the need to do the same for claims. Would you consider
>>>>>>     it a reasonable enhancement of the Client Registration spec
>>>>>>     to add something like "claims" to the registration spec? I
>>>>>>     consider it complementary to "claims_supported" as specified
>>>>>>     in the discovery spec.
>>>>>>
>>>>>>     kind regards,
>>>>>>     Torsten.
>>>>>>
>>>>>>
>>>>>>     _______________________________________________
>>>>>>     Openid-specs-ab mailing list
>>>>>>     Openid-specs-ab at lists.openid.net
>>>>>>     http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>>     _______________________________________________
>>>>     Openid-specs-ab mailing list
>>>>     Openid-specs-ab at lists.openid.net
>>>>     http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>
>>>     -- 
>>>     George Fletcher <http://connect.me/gffletch>
>>
>
>     -- 
>     George Fletcher <http://connect.me/gffletch>
>

-- 
George Fletcher <http://connect.me/gffletch>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150813/60ec3d77/attachment-0002.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150813/60ec3d77/attachment-0003.html>


More information about the Openid-specs-ab mailing list