[openid-specs-rande] Torsten's nice blog / claims request / scopes
Mischa Salle
msalle at nikhef.nl
Tue Jun 4 12:16:00 UTC 2019
Hi Torsten,
On Mon, Jun 03, 2019 at 01:44:31PM +0200, Torsten Lodderstedt wrote:
[...]
> >> Based on my proposal in the article, such a scope could look like this:
> >>
> >> "structured_scope":{
> >> "storage_access":{
> >> "resource":"/foo/subdir",
> >> "actions":[read, write]
> >> }
> >> }
> >>
> >> What do you think?
> >
> > I agree a structured_scope would be more suitable since it allows more
> > structure and flexibility. A claims request would typically request a
> > claim with a value, not something like storage_access with two different
> > key/value pairs. But the advantage is that is already there, and even
> > though the support is not everywhere (which was the motivation for
> > looking at scopes-per-claim), it's still part of the core OIDC spec.
>
> Well, it’s there with a well-defined syntax and semantics for
> requesting claims in id tokens and user info responses.
>
> If you go beyond those use cases, the difference between a new
> mechanism and the existing mechanism goes down to zero since existing
> implementations at most support what is defined in the OIDC spec.
True, if we need things that aren't possible with the claims request,
then introducing something new and with all the required properties
(your structured_scope) is indeed much better.
I just have some hope we perhaps could do without something new...
Best wishes,
Mischa
--
Nikhef Room H155
Science Park 105 Tel. +31-20-592 5102
1098 XG Amsterdam Fax +31-20-592 5155
The Netherlands Email msalle at nikhef.nl
__ .. ... _._. .... ._ ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4521 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20190604/1a838e40/attachment.bin>
More information about the openid-specs-rande
mailing list