[Openid-specs-mobile-profile] [External Sender] Re: [OpenID-Specs-eKYC-IDA] Camara & openid connect standards, and consent and purpose

[Bjorn Hjelm]

George and Axel,
In my initial e-mail to the Identity and Consent Management group, I pointed to the Grant Management for OAuth 2.0<https://openid.net/specs/fapi-grant-management-01.html> spec. as well as referenced the IETF RAR (RFC 9396<https://datatracker.ietf.org/doc/html/rfc9396>) as proposed solutions to solve for this functionality.

I agree with George's comment and the section 3<https://openid.net/specs/fapi-grant-management-01.html#name-use-cases-supported> of Grant Management for OAuth 2.0 outlines the use cases for this spec. allowing to issue. modify and revoke an authorization such as user consent.

Kind Regards,
Bjorn
________________________________
From: George Fletcher <george.fletcher at capitalone.com>
Sent: Friday, September 22, 2023 6:58 AM
To: OpenID eKYC Identity Assurance Working Group <openid-specs-ekyc-ida at lists.openid.net>
Cc: Axel.Nennker at telekom.de <Axel.Nennker at telekom.de>; Dawid.Wroblewski at t-mobile.pl <Dawid.Wroblewski at t-mobile.pl>; Shilpa.Padgaonkar at telekom.de <Shilpa.Padgaonkar at telekom.de>; Bjorn Hjelm <bjorn.hjelm at oidf.org>; openid-specs-fapi at lists.openid.net <openid-specs-fapi at lists.openid.net>; openid-specs-mobile-profile at lists.openid.net <openid-specs-mobile-profile at lists.openid.net>
Subject: Re: [External Sender] Re: [OpenID-Specs-eKYC-IDA] Camara & openid connect standards, and consent and purpose

What about using Rich Authorization Request to address the purpose and even the scope aspects? That would provide a lot of flexibility without adding any new parameters.

Thanks,
George

On Fri, Sep 22, 2023 at 9:14 AM Axel.Nennker--- via Openid-specs-ekyc-ida <openid-specs-ekyc-ida at lists.openid.net<mailto:openid-specs-ekyc-ida at lists.openid.net>> wrote:

An addition from Shilpa (who is not subscribed to OIDF mailing lists):



A good place to look at would be the PRhttps://github.com/camaraproject/IdentityAndConsentManagement/blob/526207689d024dd2294167d52f248fc4ae82f6b3/documentation/SupportingDocuments/Purpose%20Consent%20Proposal%20comparison.md<https://urldefense.com/v3/__https://github.com/camaraproject/IdentityAndConsentManagement/blob/526207689d024dd2294167d52f248fc4ae82f6b3/documentation/SupportingDocuments/Purpose*20Consent*20Proposal*20comparison.md__;JSUl!!FrPt2g6CO4Wadw!Ln7wmdCcyM40rpO7YOEsJ3y5c4_-G9jbSR9QQ9WrXmI9WVludTNqwbPQoz5lVyf-ymIA7JBRcVOxOePMX7TAJo6whq_dbr1VClZYRZaG$>



In the table there is a row about  “What is expected for each /authorize call?”. Here you can find the comments from the 3 proposals in a consolidated format.







From: Nennker, Axel <Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de>>
Date: Friday, 22. September 2023 at 14:54
To: Bjorn Hjelm <bjorn.hjelm at oidf.org<mailto:bjorn.hjelm at oidf.org>>, MODRNA WG <openid-specs-mobile-profile at lists.openid.net<mailto:openid-specs-mobile-profile at lists.openid.net>>, OpenID eKYC Identity Assurance Working Group <openid-specs-ekyc-ida at lists.openid.net<mailto:openid-specs-ekyc-ida at lists.openid.net>>, FAPI Working Group List <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Cc: Padgaonkar, Shilpa <Shilpa.Padgaonkar at telekom.de<mailto:Shilpa.Padgaonkar at telekom.de>>, Wróblewski, Dawid <Dawid.Wroblewski at t-mobile.pl<mailto:Dawid.Wroblewski at t-mobile.pl>>
Subject: Camara & openid connect standards, and consent and purpose

Hi all,



in the Linux Foundation’s Camara project “consent” for API access is an important topic.

https://github.com/camaraproject/IdentityAndConsentManagement<https://urldefense.com/v3/__https://github.com/camaraproject/IdentityAndConsentManagement__;!!FrPt2g6CO4Wadw!Ln7wmdCcyM40rpO7YOEsJ3y5c4_-G9jbSR9QQ9WrXmI9WVludTNqwbPQoz5lVyf-ymIA7JBRcVOxOePMX7TAJo6whq_dbr1VCnpLKN8b$>



We discussed “consent”, “purpose”, etc in the past in the OIDF in several working groups but people felt that the topic is not well understood, and most of the details were not standardized.



The eKYC-IDA group opted for going the way of defining a parameter “purpose” which is “some text”.

https://openid.net/specs/openid-connect-4-identity-assurance-1_0-13.html#name-transaction-specific-purpos<https://urldefense.com/v3/__https://openid.net/specs/openid-connect-4-identity-assurance-1_0-13.html*name-transaction-specific-purpos__;Iw!!FrPt2g6CO4Wadw!Ln7wmdCcyM40rpO7YOEsJ3y5c4_-G9jbSR9QQ9WrXmI9WVludTNqwbPQoz5lVyf-ymIA7JBRcVOxOePMX7TAJo6whq_dbr1VCuplX4y8$>



Instead of “some text” others suggested to encode the purpose/consent into scope like e.g.

“scope=FraudPreventionandDetection:check-sim-swap-date”

https://github.com/camaraproject/IdentityAndConsentManagement/issues/32<https://urldefense.com/v3/__https://github.com/camaraproject/IdentityAndConsentManagement/issues/32__;!!FrPt2g6CO4Wadw!Ln7wmdCcyM40rpO7YOEsJ3y5c4_-G9jbSR9QQ9WrXmI9WVludTNqwbPQoz5lVyf-ymIA7JBRcVOxOePMX7TAJo6whq_dbr1VCiP4CYHQ$>



Sorry for cross-posting to MODRNA and eKYC-IDA and FAPI.

Which OIDF would be the right one to tackle consent/purpose (again)?



Or please contribute to the issue https://github.com/camaraproject/IdentityAndConsentManagement/issues/32<https://urldefense.com/v3/__https://github.com/camaraproject/IdentityAndConsentManagement/issues/32__;!!FrPt2g6CO4Wadw!Ln7wmdCcyM40rpO7YOEsJ3y5c4_-G9jbSR9QQ9WrXmI9WVludTNqwbPQoz5lVyf-ymIA7JBRcVOxOePMX7TAJo6whq_dbr1VCiP4CYHQ$> and others directly.



Also, if you are a telco employee who participates in OIDF WGs while your colleagues are working in Camara, please reach out to your colleagues.





Kind regards

Axel



Bjorn and Gail presented OIDF to Camara

https://github.com/camaraproject/WorkingGroups/blob/main/Commonalities/documentation/SupportingDocuments/OIDF-CAMARA%20Project%20Presentation%20Jun%201%202023.pptx<https://urldefense.com/v3/__https://github.com/camaraproject/WorkingGroups/blob/main/Commonalities/documentation/SupportingDocuments/OIDF-CAMARA*20Project*20Presentation*20Jun*201*202023.pptx__;JSUlJSU!!FrPt2g6CO4Wadw!Ln7wmdCcyM40rpO7YOEsJ3y5c4_-G9jbSR9QQ9WrXmI9WVludTNqwbPQoz5lVyf-ymIA7JBRcVOxOePMX7TAJo6whq_dbr1VCjtPFPXX$>



https://openid.net/specs/openid-connect-user-questioning-api-1_0-11.html<https://urldefense.com/v3/__https://openid.net/specs/openid-connect-user-questioning-api-1_0-11.html__;!!FrPt2g6CO4Wadw!Ln7wmdCcyM40rpO7YOEsJ3y5c4_-G9jbSR9QQ9WrXmI9WVludTNqwbPQoz5lVyf-ymIA7JBRcVOxOePMX7TAJo6whq_dbr1VCl09MZ4X$>

https://openid.net/specs/fapi-grant-management.html#name-historical-grant-authorisat<https://urldefense.com/v3/__https://openid.net/specs/fapi-grant-management.html*name-historical-grant-authorisat__;Iw!!FrPt2g6CO4Wadw!Ln7wmdCcyM40rpO7YOEsJ3y5c4_-G9jbSR9QQ9WrXmI9WVludTNqwbPQoz5lVyf-ymIA7JBRcVOxOePMX7TAJo6whq_dbr1VCoHPZQHj$>



--
Openid-specs-ekyc-ida mailing list
Openid-specs-ekyc-ida at lists.openid.net<mailto:Openid-specs-ekyc-ida at lists.openid.net>
https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ekyc-ida__;!!FrPt2g6CO4Wadw!Ln7wmdCcyM40rpO7YOEsJ3y5c4_-G9jbSR9QQ9WrXmI9WVludTNqwbPQoz5lVyf-ymIA7JBRcVOxOePMX7TAJo6whq_dbr1VCjFxiH69$
________________________________


The information contained in this e-mail is confidential and/or proprietary to Capital One and/or its affiliates and may only be used solely in performance of work or services for Capital One. The information transmitted herewith is intended only for use by the individual or entity to which it is addressed. If the reader of this message is not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying or other use of, or taking of any action in reliance upon this information is strictly prohibited. If you have received this communication in error, please contact the sender and delete the material from your computer.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20230922/9a66bf7e/attachment-0001.html>