[openid-specs-rande] Torsten's nice blog / claims request / scopes

Mon May 27 07:28:55 UTC 2019

Joining a little late...

> why not implement something that's already in the spec and in a way that is
> much more scalable
>
I think this makes a lot of sense. Rather than rolling our own thing and
pushing for adoption, referring to the standard and encouraging people to
implement it seems a much better solution.

On Mon, 20 May 2019 at 20:54, Mischa Salle <msalle at nikhef.nl> wrote:

> On Mon, May 20, 2019 at 08:49:39PM +0200, Roland Hedberg wrote:
> > Hi Mischa,
> >
> > I think that why the discuss started on not relying on using the
> > claims parameter was that some implementations (most notably
> > PingFederate) didn’t support it.
> >
> > Now, it turns out that we are not the only community that are looking
> > at claims to solve a problem.
> > Which will hopefully make implementers take note and actually support it.
> which would indeed be great.
>
> My point however was even stronger. In order to support the scenarios
> such as https://scitokens.org/technical_docs/Claims#scitokens-scopes
> driven by e.g. WLCG, people will have to implement new things, so why
> not implement something that's already in the spec and in a way that is
> much more scalable (since you can easily request claim/claimvalue
> pairs)?
>
> > Using scope to solve the dataminimalization problem has always been a
> kludge.
> I fully agree...
>
>     Best wishes,
>     Mischa
>
> >
> > > On 20 May 2019, at 20:39, Mischa Salle <msalle at nikhef.nl> wrote:
> > >
> > > Hi all,
> > >
> > > after reading Torsten's very nice blogpost [1], and Nat Sakimura's
> > > answer [2], (thanks to Jim Basney for pointing it out on the
> > > discuss at scitokens.org mailing list [3]) I started wondering why we
> > > actually are not using the claims request [4].
> > > The reason we started using 'scopes per claim' is because of a lack of
> > > support for the 'claims parameter', which is optional in the spec,
> > > unlike the 'scope' parameter which is always supported. But now we've
> > > gotten to the point where we need to put structure in the scopes,
> things
> > > like "read:/foo" and the like, but using that would *also* require
> > > support for non-standard things in client- and server software...?
> > > So, am I missing something or have we just made a nice circle?
> > >
> > >    Best wishes,
> > >    Mischa
> > >
> > >
> > > [1]
> https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948
> > > [2]
> https://nat.sakimura.org/2019/05/12/comments-back-to-transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-by-torsten/
> > > [3]
> https://groups.google.com/a/scitokens.org/forum/#!topic/discuss/bpshiUuqRtg
> > > [4]
> https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
> > >
> > > --
> > > Nikhef                      Room  H155
> > > Science Park 105            Tel.  +31-20-592 5102
> > > 1098 XG Amsterdam           Fax   +31-20-592 5155
> > > The Netherlands             Email msalle at nikhef.nl
> > >  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
> > > --
> > > openid-specs-rande mailing list
> > > openid-specs-rande at lists.openid.net
> > > http://lists.openid.net/mailman/listinfo/openid-specs-rande
> >
> > — Roland
> > Scratch a pessimist and you find often a defender of privilege. -William
> Beveridge, economist and reformer (5 Mar 1879-1963)
> >
>
> --
> Nikhef                      Room  H155
> Science Park 105            Tel.  +31-20-592 5102
> 1098 XG Amsterdam           Fax   +31-20-592 5155
> The Netherlands             Email msalle at nikhef.nl
>   __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
> --
> openid-specs-rande mailing list
> openid-specs-rande at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-rande
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190527/0b1d7d09/attachment.html>