[Openid-specs-authzen] Last-minute change

Tue Sep 9 20:09:14 UTC 2025

About multiple evaluations, one for each token:

In OIDC the RP is asking the OP for a particular authorization, and based
on the request is expecting very particular tokens back from the flow.
Multiple tokens can be issued through a single authorization.  ID tokens
are tied to the openid scope, refresh tokens are tied to the offline_access
scope.  IDP's usually support multiple protocols (proprietary, OAuth 2.0,
OIDC, SAML, etc), which also complicates things. This makes me feel like
what should be modeled in the request is the authorization request, not
which tokens are being minted.

What is proposed in the markdown
<https://hackmd.io/@oidf-wg-authzen/idp-integration> is closer to what I
would expect for the base use case of "Token Issuance" use case.

On Mon, Sep 8, 2025 at 2:58 PM gerry gebel via Openid-specs-authzen <
openid-specs-authzen at lists.openid.net> wrote:

> Omri -
>
> We focused on the evaluations API call during this meeting and briefly
> spoke about search. One aspect we (at least I) had not considered until now
> was the location of data, whether authz data or identity data.
>
> It seems to me that there will be at least two situations:
> 1) The IDP has all the identity and authz data
> or
> 2) User data and authz data are split in some manner between IDP and PDP
>
> When using the search API, it implies that the authz data resides with the
> PDP - am I right in that understanding?
>
> Therefore, we will need to be clear with participants regarding our
> expectations on where identity and authz data are stored. We can
> arbitrarily decide what the configuration should be, but I would like it to
> be as closely aligned with real world scenarios as possible
>
> Gerry
>
> On Fri, Sep 5, 2025 at 12:46 PM Omri Gazitt <omri at aserto.com> wrote:
>
>> Thanks for the detailed notes!
>>
>> I’m surprised we’re not using the search API for the token enrichment
>> scenario - I think a very common scenario is listing group membership in
>> the token, and it would naturally complement the scenario described (which
>> uses boxcarred evaluations).
>>
>> Is it because we are concerned about not enough implementations support
>> search?
>>
>> Thanks,
>> Omri.
>>
>> On Fri, Sep 5, 2025 at 6:55 AM gerry gebel via Openid-specs-authzen <
>> openid-specs-authzen at lists.openid.net> wrote:
>>
>>> Hi David
>>>
>>> The notes are in this doc (
>>> https://hackmd.io/@oidf-wg-authzen/idp-integration) - thanks to Alex
>>> O!!!
>>>
>>> We'd like to have another call to discuss the scenarios before the next
>>> weekly meeting and I'll get with you to schedule that.
>>>
>>> Meanwhile, everyone - please review and add any pertinent comments.
>>>
>>> Thanks,
>>> Gerry
>>>
>>> On Fri, Sep 5, 2025 at 5:48 AM David Brossard via Openid-specs-authzen <
>>> openid-specs-authzen at lists.openid.net> wrote:
>>>
>>>> Dear all,
>>>>
>>>> Unfortunately I have a last-minute change. I will not be able to attend
>>>> our meeting in 15mns. Gerry, can you take the lead and I will catch up with
>>>> you after the call?
>>>>
>>>> My apologies for the last minute change.
>>>>
>>>> David.
>>>> --
>>>> Openid-specs-authzen mailing list
>>>> Openid-specs-authzen at lists.openid.net
>>>> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>>>>
>>> --
>>> Openid-specs-authzen mailing list
>>> Openid-specs-authzen at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>>>
>> --
> Openid-specs-authzen mailing list
> Openid-specs-authzen at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-authzen
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250909/de791e40/attachment.htm>