<div dir="ltr"><div>
> This can happen if the RP changes its configuration, or wants the OP to perform an audit because it is not sure it is in sync.
<br><br></div>As shared in the conversation last Thursday, here another scenario for RP notifications.<br><br>Having a user account being active for no reason can be the source of large costs billed by a RP. Having the ability for the RP to notify the OP that it wants details about an account can help the Owner of the RP to apply a better logic for cost optimization by determining if the account is active at the OP. Active here is not in relation tor Account Lifecycle State but more about if the Account is Idle or was subject to a valid Authorization decision recently. "Recently" being a notion evaluated by the RP.
</div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Fri, May 9, 2025 at 5:49 PM Dick Hardt via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><a href="https://github.com/openid/openid-provider-commands/pull/20" target="_blank">https://github.com/openid/openid-provider-commands/pull/20</a></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, May 8, 2025 at 9:17 PM Dick Hardt <<a href="mailto:dick.hardt@gmail.com" target="_blank">dick.hardt@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I cornered a few people tonight at events and queried preference for opaque URL vs opaque token and fixed endpoint. Opaque tokens were overwhelmingly preferred. I'll be doing PR for that.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Apr 28, 2025 at 9:05 PM Dick Hardt <<a href="mailto:dick.hardt@gmail.com" target="_blank">dick.hardt@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">I was going to do a PR of this -- anyone have any pros / cons for a fixed OP endpoint and an opaque access token vs an opaque URL?</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Mar 27, 2025 at 12:14 PM Dick Hardt <<a href="mailto:dick.hardt@gmail.com" target="_blank">dick.hardt@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>I've grouped issues 5 & 7 together as they are related.</div><div><br></div><div>The idea behind notifications is for the RP to be able to send the OP a notification. One reason for notifications is if the RP wants to request the OP to send a command. This can happen if the RP changes its configuration, or wants the OP to perform an audit because it is not sure it is in sync.</div><div><br></div><div>The other motivation came out of exploring the RP processing a command async. This came up in a discussion with a Drupal implementor. Deleting a user in Drupal is an async process as they don't want to block the PHP response as deletion can be time consuming. The deletion is put into a queue that is processed asynchronously. If supported, we would like a way for the RP to signal to the OP the result of the processing of the Command -- another notification.</div><div><br></div><div>If the Command is processed asynchronous, then the RP provides a 202 response. I'm lending towards normative text that an RP SHOULD respond asynchronously if it can. I think async responses only make sense for Account Commands. The implication is that an RP that is not able to do synchronous deletes like Drupal, would not support `delete_tenant` -- an OP would need to delete each account individually.</div><div><br></div><div>Here are links to the issues:<br><br></div><div>notifications</div><div dir="ltr"><a href="https://github.com/openid/openid-provider-commands/issues/7" target="_blank">https://github.com/openid/openid-provider-commands/issues/7</a></div><div dir="ltr"><br><div>202 response for async command processing</div><div><a href="https://github.com/openid/openid-provider-commands/issues/5" target="_blank">https://github.com/openid/openid-provider-commands/issues/5</a></div></div></div></div></div>
</blockquote></div>
</blockquote></div>
</blockquote></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>