[openid-specs-rande] today's meeting notes

[Roland Hedberg]

> 12 mars 2019 kl. 16:54 skrev Nick Roy <nroy at internet2.edu>:
> 
> On 12 Mar 2019, at 7:53, Davide Vaghetti wrote:
> 
>>> - related to the different scopes vs. claims discussions going on
>>>  currently:
>>>    - scitokens uses very much the scopes approach, see e.g.
>>>      https://scitokens.org/technical_docs/Claims
>>>      and uses a scope-per-claim to prevent the lack of support for the
>>>      optional 'claims request'>     - Hans Zandbelt (I asked him at TIIME about support for the 'claims'
>>>      request) is of the opinion that it's better to have the OP decide
>>>      which claims to release for which protected endpoint/client
>>>      combinatios than to have the client request which claims it wants.
>>>      I don't think we can always do this, but it is an interesting
>>>      point, in particular in AARC BPA context, where we have an
>>>      omniscient proxy. We might be able to prevent a lot of tricky
>>>      situations...
>> 
>> If I understand it well, we're speaking of not having the clients asking
>> claims in the authentication request. It sounds quite familiar for
>> someone coming from SAML based identity federations ;-)
>> 
>> So, in the context of the AARC BPA I agree that this can work, but in a
>> more general context I don't see how it can scale. One option that
>> easily come to mind is go in the same direction we've followed for SAML:
>> rely on metadata to express required claims. In that case it would make
>> sense to have both the userinfo endpoint and the id_token claims
> 
> +1

So you’re proposing that instead of using a feature described in the standard
you want to use something that is not in the standard at all ?

And the reason from not using a feature descibed in the standard was that there was
lack of support ?

—Roland
The reward for conformity was that everyone liked you except yourself. -Rita Mae Brown, writer (b. 28 Nov 1944)