[Openid-specs-risc] "Compound" subject types in SSE
Atul Tulshibagwale
atultulshi at google.com
Tue Feb 16 20:22:06 UTC 2021
Hi all,
We discussed an important topic on the call today, and some of us had
separately discussed this earlier. There are a couple of issues with the
draft today:
1. The use of "common claims" e.g. "spag_id" conflicts with the Subject
Identifiers draft that specifies claims other than those defined within the
"subject_type" definition must not be included in a subject claim of that
subject_type.
2. We defined a specific "user-device-session" subject type, but are now
discovering use cases that create a multitude of other possibilities. The
immediate one that caused this discussion was the use of an "application"
principal. The use case is where a Transmitter may want to invalidate
sessions associated with a specific application on a specific user or
device.
To address both these issues, Tim Cappalli (Microsoft) and I came up with
this proposal to create multi-valued or "compound" subject claims in SSE
events. This will not require the use of common claims such as "spag_id",
but we can create specific new subject_types such as "tenant" or "OU" as
needed.
Please review the proposal here
<https://docs.google.com/document/d/1stTI18cQy8zTw0u0UjC6NLkjBZAYEU1kNCDru7dEdfQ/edit?usp=sharing>.
It will be great if you can provide your comments and feedback in the next
couple of weeks so that we can have a productive discussion in our next
call on March 2nd. If we can make sufficient progress in the call there, we
can incorporate the changes into the draft.
Thanks,
Atul
Atul Tulshibagwale
Software Engineer,
Google Workspace
atultulshi at google.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20210216/9ce8fb3e/attachment.html>
More information about the Openid-specs-risc
mailing list