[openid-specs-rande] Torsten's nice blog / claims request / scopes
Mischa Salle
msalle at nikhef.nl
Mon May 20 18:39:32 UTC 2019
Hi all,
after reading Torsten's very nice blogpost [1], and Nat Sakimura's
answer [2], (thanks to Jim Basney for pointing it out on the
discuss at scitokens.org mailing list [3]) I started wondering why we
actually are not using the claims request [4].
The reason we started using 'scopes per claim' is because of a lack of
support for the 'claims parameter', which is optional in the spec,
unlike the 'scope' parameter which is always supported. But now we've
gotten to the point where we need to put structure in the scopes, things
like "read:/foo" and the like, but using that would *also* require
support for non-standard things in client- and server software...?
So, am I missing something or have we just made a nice circle?
Best wishes,
Mischa
[1] https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948
[2] https://nat.sakimura.org/2019/05/12/comments-back-to-transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-by-torsten/
[3] https://groups.google.com/a/scitokens.org/forum/#!topic/discuss/bpshiUuqRtg
[4] https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email msalle at nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4521 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190520/62569cd1/attachment.bin>
More information about the openid-specs-rande
mailing list