[openid-specs-rande] Torsten's nice blog / claims request / scopes

Mischa Salle msalle at nikhef.nl
Mon May 20 18:54:39 UTC 2019 

On Mon, May 20, 2019 at 08:49:39PM +0200, Roland Hedberg wrote:
> Hi Mischa,
> 
> I think that why the discuss started on not relying on using the
> claims parameter was that some implementations (most notably
> PingFederate) didn’t support it.
> 
> Now, it turns out that we are not the only community that are looking
> at claims to solve a problem.
> Which will hopefully make implementers take note and actually support it.
which would indeed be great.

My point however was even stronger. In order to support the scenarios
such as https://scitokens.org/technical_docs/Claims#scitokens-scopes
driven by e.g. WLCG, people will have to implement new things, so why
not implement something that's already in the spec and in a way that is
much more scalable (since you can easily request claim/claimvalue
pairs)?

> Using scope to solve the dataminimalization problem has always been a kludge.
I fully agree...

    Best wishes,
    Mischa

> 
> > On 20 May 2019, at 20:39, Mischa Salle <msalle at nikhef.nl> wrote:
> > 
> > Hi all,
> > 
> > after reading Torsten's very nice blogpost [1], and Nat Sakimura's
> > answer [2], (thanks to Jim Basney for pointing it out on the
> > discuss at scitokens.org mailing list [3]) I started wondering why we
> > actually are not using the claims request [4].
> > The reason we started using 'scopes per claim' is because of a lack of
> > support for the 'claims parameter', which is optional in the spec,
> > unlike the 'scope' parameter which is always supported. But now we've
> > gotten to the point where we need to put structure in the scopes, things
> > like "read:/foo" and the like, but using that would *also* require
> > support for non-standard things in client- and server software...?
> > So, am I missing something or have we just made a nice circle?
> > 
> >    Best wishes,
> >    Mischa
> > 
> > 
> > [1] https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948
> > [2] https://nat.sakimura.org/2019/05/12/comments-back-to-transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-by-torsten/
> > [3] https://groups.google.com/a/scitokens.org/forum/#!topic/discuss/bpshiUuqRtg
> > [4] https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
> > 
> > -- 
> > Nikhef                      Room  H155
> > Science Park 105            Tel.  +31-20-592 5102
> > 1098 XG Amsterdam           Fax   +31-20-592 5155
> > The Netherlands             Email msalle at nikhef.nl
> >  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
> > -- 
> > openid-specs-rande mailing list
> > openid-specs-rande at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-rande
> 
> — Roland
> Scratch a pessimist and you find often a defender of privilege. -William Beveridge, economist and reformer (5 Mar 1879-1963) 
> 

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4521 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190520/ac09f517/attachment-0001.bin>

More information about the openid-specs-rande mailing list