[Openid-specs-risc] "Compound" subject types in SSE

Atul Tulshibagwale atultulshi at google.com
Tue Feb 23 01:50:40 UTC 2021 

Hi all,
A quick reminder to please review this proposal and provide your feedback
and / or comments. It'll be good to review the feedback in the call on
Tuesday next week.

Thanks,
Atul


On Tue, Feb 16, 2021 at 12:22 PM Atul Tulshibagwale <atultulshi at google.com>
wrote:

> Hi all,
> We discussed an important topic on the call today, and some of us had
> separately discussed this earlier. There are a couple of issues with the
> draft today:
>
>    1. The use of "common claims" e.g. "spag_id" conflicts with the
>    Subject Identifiers draft that specifies claims other than those
>    defined within the "subject_type" definition must not be included in a
>    subject claim of that subject_type.
>    2. We defined a specific "user-device-session" subject type, but are
>    now discovering use cases that create a multitude of other possibilities.
>    The immediate one that caused this discussion was the use of an
>    "application" principal. The use case is where a Transmitter may want to
>    invalidate sessions associated with a specific application on a specific
>    user or device.
>
> To address both these issues, Tim Cappalli (Microsoft) and I came up with
> this proposal to create multi-valued or "compound" subject claims in SSE
> events. This will not require the use of common claims such as "spag_id",
> but we can create specific new subject_types such as "tenant" or "OU" as
> needed.
>
> Please review the proposal here
> <https://docs.google.com/document/d/1stTI18cQy8zTw0u0UjC6NLkjBZAYEU1kNCDru7dEdfQ/edit?usp=sharing>.
> It will be great if you can provide your comments and feedback in the next
> couple of weeks so that we can have a productive discussion in our next
> call on March 2nd. If we can make sufficient progress in the call there, we
> can incorporate the changes into the draft.
>
> Thanks,
> Atul
>
>
>
>
> Atul Tulshibagwale
>
> Software Engineer,
>
> Google Workspace
>
> atultulshi at google.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20210222/2afa58f8/attachment.html>

More information about the Openid-specs-risc mailing list