[Openid-specs-mobile-profile] [E] Question: mandatory vs Optional Scopes

George Fletcher george.fletcher at oath.com
Wed Aug 29 19:16:28 UTC 2018


The choice the RP has in that context is to fail the authentication. I
could see some RPs/SPs choosing to ask for the number and then doing a
phone number verification themselves (SMS loop). It totally depends on the
identity proofing requirements of the RP:)

It would be better for the MNO OPs to support the "claims" parameter which
allows the RP to specify a given claim as "essential" and if the user
choses to not provide the essential claim, the authentication fails.

Even in this case, the RP is still responsible for what the UX should be
for such a use case. Maybe they chose to do a local registration instead of
Mobile Connect?

Thanks,
George

On Wed, Aug 29, 2018 at 2:57 PM Engan, Michael <Michael.Engan1 at t-mobile.com>
wrote:

> That would work for me.  I still believe it should be an SP task to stitch
> the user experience. But I would probably have to disagree with the single
> “Phone_number” attribute.   If an SP sends you to the MNO to authenticate,
> and the SP wants your phone number. (with signed assertion from the carrier
> that the phone number is accurate) it would not make sence for the SP to
> ask the user for their phone number instead.
>
>
>
>
>
>
>
>
>
> *From:* Hjelm, Bjorn <Bjorn.Hjelm at VerizonWireless.com>
> *Sent:* Wednesday, August 29, 2018 11:53 AM
> *To:* Engan, Michael <Michael.Engan1 at T-Mobile.com>;
> openid-specs-mobile-profile at lists.openid.net; Fletcher, George <
> george.fletcher at oath.com>
> *Cc:* GORHAM, MARIA C <mg1928 at att.com>
> *Subject:* RE: [E] [Openid-specs-mobile-profile] Question: mandatory vs
> Optional Scopes
>
>
>
> The RP would state that a given "claim" is essential but would require the
> OP to support the claims parameter
> <http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter>.
> It’s worth noting that the “claims_parameter_supported Discovery result
> indicates whether the OP supports this parameter.”
>
>
>
> In talking to George, the general practice in a use case like this (where
> the RP asks for a set of attributes and the user choses to not provide
> them) that the RP would ask the user directly for those attributes if they
> are required.
>
>
>
> BR,
>
> Bjorn
>
>
>
> *From:* Openid-specs-mobile-profile [
> mailto:openid-specs-mobile-profile-bounces at lists.openid.net
> <openid-specs-mobile-profile-bounces at lists.openid.net>] *On Behalf Of *Engan,
> Michael
> *Sent:* Wednesday, August 29, 2018 10:52 AM
> *To:* openid-specs-mobile-profile at lists.openid.net; Hjelm, Bjorn
> *Cc:* GORHAM, MARIA C
> *Subject:* [E] [Openid-specs-mobile-profile] Question: mandatory vs
> Optional Scopes
>
>
>
> We have has requests from marketing teams to review SP’s being able to
> define scopes as optional vs mandatory.
>
>
>
> Today our assumptions are the scopes requested in an openid connect
> request are optional. If the SP for instance askes for
>
> Scopes=(openid email phone)  the user could select/deselect email or
> phone.
>
>
>
> Instead of the SP having to give the user an error that the user can’t
> proceed because one of the attributes was not provided, the SP could
> instead ask for a failed authentication for any scope being de-selected.
>
>
>
> Is this a feature/experience that has come up with anyone else before?
>
> Is there any suggestion in how to support this without doing something too
> far off spec?
>
>
>
>
>
>
>
> Michael Engan
> Principal Systems Architect,
>
> Authentication, Authorization, & API security
>
> 12920 SE 38 <https://maps.google.com/?q=12920+SE+38&entry=gmail&source=g>
> th Street | Bellevue, WA 98006
> Direct 425-383-2268 <(425)%20383-2268> | Mobile 425-443-3463
> <(425)%20443-3463>
>
>
>
-- 
Identity Standards Architect
Identity Services Engineering, Oath Inc.
Mobile:+1-703-462-3494  Office:+1-703-265-2544
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180829/467e1964/attachment.html>


More information about the Openid-specs-mobile-profile mailing list