[Openid-specs-risc] New example SET for discussion
Tim Cappalli
Tim.Cappalli at microsoft.com
Tue Aug 25 15:52:08 UTC 2020
Hi all,
After some more discussions, I think the example I was using in the previous conversation was confusing and would result in processing inconsistency and/or complexity (as discussed).
Here is what we would consider a widely used SET. In this case two subject identifiers are provided so it will be processed as an AND.
{
"iss": "https://sts.windows.net/2d1ae189-3d85-44cf-8437-26fba424feaf/",
"jti": "756E69717565206964656E746966696572",
"iat": 1597158239,
"aud": "https://outlook.office365.com/",
"events": {
"https://schemas.openid.net/secevent/caep/event-type/sessions-revoked": {
"subject": [
{
"subject_type": "iss-sub",
"iss": "https://sts.windows.net/2d1ae189-3d85-44cf-8437-26fba424feaf/",
"sub": "07bdd8df-3bcd-4562-9ffc-5e355f7e8ba1",
"subject_category": "device"
},
{
"subject_type": "iss-sub",
"iss": "https://sts.windows.net/2d1ae189-3d85-44cf-8437-26fba424feaf/",
"sub": "573d9c1c-b4e0-4cac-8927-6d43691fa898",
"subject_category": "user"
}
]
}
}
}
The reason that we need multiple subject identifiers is that some event consumers are not be able to identify a local session based on a device ID or a session ID.
Looking forward to the discussion today.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20200825/50c13ee9/attachment.html>
More information about the Openid-specs-risc
mailing list