[openid-specs-rande] Torsten's nice blog / claims request / scopes
Roland Hedberg
roland at catalogix.se
Mon May 20 18:49:39 UTC 2019
Hi Mischa,
I think that why the discuss started on not relying on using the claims parameter was that some
implementations (most notably PingFederate) didn’t support it.
Now, it turns out that we are not the only community that are looking at claims to solve a problem.
Which will hopefully make implementers take note and actually support it.
Using scope to solve the dataminimalization problem has always been a kludge.
> On 20 May 2019, at 20:39, Mischa Salle <msalle at nikhef.nl> wrote:
>
> Hi all,
>
> after reading Torsten's very nice blogpost [1], and Nat Sakimura's
> answer [2], (thanks to Jim Basney for pointing it out on the
> discuss at scitokens.org mailing list [3]) I started wondering why we
> actually are not using the claims request [4].
> The reason we started using 'scopes per claim' is because of a lack of
> support for the 'claims parameter', which is optional in the spec,
> unlike the 'scope' parameter which is always supported. But now we've
> gotten to the point where we need to put structure in the scopes, things
> like "read:/foo" and the like, but using that would *also* require
> support for non-standard things in client- and server software...?
> So, am I missing something or have we just made a nice circle?
>
> Best wishes,
> Mischa
>
>
> [1] https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948
> [2] https://nat.sakimura.org/2019/05/12/comments-back-to-transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-by-torsten/
> [3] https://groups.google.com/a/scitokens.org/forum/#!topic/discuss/bpshiUuqRtg
> [4] https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
>
> --
> Nikhef Room H155
> Science Park 105 Tel. +31-20-592 5102
> 1098 XG Amsterdam Fax +31-20-592 5155
> The Netherlands Email msalle at nikhef.nl
> __ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
> --
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande
— Roland
Scratch a pessimist and you find often a defender of privilege. -William Beveridge, economist and reformer (5 Mar 1879-1963)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190520/0a4e56e2/attachment.html>
More information about the openid-specs-rande
mailing list