[OpenID-Specs-eKYC-IDA] Data minimization in the previously granted clasims access

Torsten Lodderstedt torsten at lodderstedt.net
Wed Mar 11 14:22:37 UTC 2020


I personally feel downscoping a token in oder to control the outcome of a resource call a bit indirect. It mixes authorization and actual API request in an unexpected way, at least from a more general perspective. 

> On 11. Mar 2020, at 11:44, Mischa Salle <msalle at nikhef.nl> wrote:
> 
> Hi all,
> 
> On Wed, Mar 11, 2020 at 11:08:12AM +0100, Torsten Lodderstedt via Openid-specs-ekyc-ida wrote:
>> Hi Vladimir,
>> 
>>> On 11. Mar 2020, at 10:31, Vladimir Dzhuvinov via Openid-specs-ekyc-ida <openid-specs-ekyc-ida at lists.openid.net> wrote:
>>> 
>>> On 11/03/2020 09:42, Torsten Lodderstedt via Openid-specs-ekyc-ida wrote:
>>>> Hi Nat, 
>>>> 
>>>> we haven’t discussed this feature yet.
>>>> 
>>>> I think it makes sense to have that feature, especially if the RP obtained the authorization to access the user’s claims over a long time. I would assume an interesting use case would be to gather a larger set of data in the first request and update a sub set in subsequent transactions. 
>>>> 
>>>> The use case you illustrated, on the other hand, I think, could raise interesting questions regarding data minimisation itself. Why should the RP ask for a broader data set than it needs for the use case at hand?
>>>> 
>>> From what I understood Nat is interested in being able to differentiate immutable (e.g. National ID Number) vs mutable (e.g. address) claims. Then marking the first as "release once only". I'm not sure how this can work with std OAuth access tokens though.
>> 
>> I think the technical solution would need to include two elements: 
>> 
>> 1) How does the user determine (and consent to) what is being released under what circumstances? That would require extensions to the "claims” structure. 
>> 2) How does the client request the data? That would require a new parameter in the UserInfo request to request certain claims. 
> 
> just a thought, wouldn't this be better handled in a refresh request,
> and then asking for what will be needed next? After all a refresh
> request can also be used to down-scope the scope?
> 
> I also just found
> https://tools.ietf.org/html/draft-spencer-oauth-claims-01
> in particular
> https://tools.ietf.org/html/draft-spencer-oauth-claims-01#section-2.2
> which suggests the same for claims.
> 
> Best wishes,
> Mischa
> 
> 
>> 
>> best regards,
>> Torsten. 
>> 
>>> 
>>> Vladimir
>>> 
>>>> 
>>>> We can discuss in the call today.
>>>> 
>>>> best regards,
>>>> Torsten.  
>>>> 
>>>> 
>>>>> On 11. Mar 2020, at 06:06, Nat Sakimura via Openid-specs-ekyc-ida <openid-specs-ekyc-ida at lists.openid.net>
>>>>> wrote:
>>>>> 
>>>>> Hi
>>>>> 
>>>>> I was wondering if it has already come up but I have a use-case where only a subset of (verified) claims are needed from time to time.
>>>>> For example, I may need to get the Nationa ID number, address, DoB etc. in the first request, but in the subsequent request, I may just need the address as that is the only dynamic claim.
>>>>> 
>>>>> Presumably, I can use the previously obtained access token for this purpose as it is just down scoping, but I am not aware of a standardized way of sending "give me only this claim and nothing else" request to the Userinfo endpoint. From the data minimization point of view, this is pretty important.
>>>>> 
>>>>> Has this been discussed in this WG before?
>>>>> 
>>>>> Best,
>>>>> 
>>>>> Nat Sakimura
>>>>> -- 
>>>>> Openid-specs-ekyc-ida mailing list
>>>>> 
>>>>> Openid-specs-ekyc-ida at lists.openid.net
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida
>>>> 
>>> 
>>> -- 
>>> Vladimir Dzhuvinov
>>> 
>>> -- 
>>> Openid-specs-ekyc-ida mailing list
>>> Openid-specs-ekyc-ida at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida
>> 
> 
> 
> 
>> -- 
>> Openid-specs-ekyc-ida mailing list
>> Openid-specs-ekyc-ida at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida
> 
> 
> -- 
> Nikhef                      Room  H155
> Science Park 105            Tel.  +31-20-592 5102
> 1098 XG Amsterdam           Fax   +31-20-592 5155
> The Netherlands             Email msalle at nikhef.nl
>  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3946 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ekyc-ida/attachments/20200311/0754d218/attachment.p7s>


More information about the Openid-specs-ekyc-ida mailing list