[openid-specs-rande] today's meeting notes

Mischa Salle msalle at nikhef.nl
Fri Mar 15 11:28:52 UTC 2019 

Hi,

On Thu, Mar 14, 2019 at 02:03:14PM +0100, Roland Hedberg wrote:
> 
> 
> > 12 mars 2019 kl. 16:54 skrev Nick Roy <nroy at internet2.edu>:
> > 
> > On 12 Mar 2019, at 7:53, Davide Vaghetti wrote:
> > 
> >>> - related to the different scopes vs. claims discussions going on
> >>>  currently:
> >>>    - scitokens uses very much the scopes approach, see e.g.
> >>>      https://scitokens.org/technical_docs/Claims
> >>>      and uses a scope-per-claim to prevent the lack of support for the
> >>>      optional 'claims request'>     - Hans Zandbelt (I asked him at TIIME about support for the 'claims'
> >>>      request) is of the opinion that it's better to have the OP decide
> >>>      which claims to release for which protected endpoint/client
> >>>      combinatios than to have the client request which claims it wants.
> >>>      I don't think we can always do this, but it is an interesting
> >>>      point, in particular in AARC BPA context, where we have an
> >>>      omniscient proxy. We might be able to prevent a lot of tricky
> >>>      situations...
> >> 
> >> If I understand it well, we're speaking of not having the clients asking
> >> claims in the authentication request. It sounds quite familiar for
> >> someone coming from SAML based identity federations ;-)
> >> 
> >> So, in the context of the AARC BPA I agree that this can work, but in a
> >> more general context I don't see how it can scale. One option that
> >> easily come to mind is go in the same direction we've followed for SAML:
> >> rely on metadata to express required claims. In that case it would make
> >> sense to have both the userinfo endpoint and the id_token claims
> > 
> > +1
> 
> So you’re proposing that instead of using a feature described in the standard
> you want to use something that is not in the standard at all ?
> 
> And the reason from not using a feature descibed in the standard was that there was
> lack of support ?

I agree that solving the problem of lack of support in the client
software for claims request by adding new information in the metadata
published by the same client is just moving the problem (and actually
solving a subset, unless you talk about client-metadata per protected
endpoint).
If we can solve the problem on a central proxy on the other hand, we
might have a chance. Hence my reference to and focus on the AARC BPA.

Mischa
-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3402 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190315/c594085e/attachment.bin>

More information about the openid-specs-rande mailing list