attached a brief presentation about a Resource aggregation approach based on online Loan scenario and OpenID Connect message specification.
I hope it's useful for the discussion for the issue #31 (and maybe #25).
Cheers,
Domenico
You however can't have spaces in a scope name.
The OAuth request would look like:
https://server.example.com/authorize?
response_type=code%02id_token
&client_id=s6BhdRkqt3
&redirect_uri=https%3A%2F%2Fclient.example.com%2Fcb
&scope=openid
&state=af0ifjsldkj
&nonce=n-0S6_WzA2Mj
&request=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJyZXNwb25zZV90eXBlIjoiY2
9kZSBpZF90b2tlbiIsImNsaWVudF9pZCI6InM2QmhkUmtxdDMiLCJyZWRpcmVjdF91cmkiOi
JodHRwczpcL1wvY2xpZW50LmV4YW1wbGUuY29tXC9jYiIsInNjb3BlIjoib3BlbmlkIHByb2
ZpbGUiLCJzdGF0ZSI6ImFmMGlmanNsZGtqIiwibm9uY2UiOiJuLTBTNl9XekEyTWoiLCJ1c2
VyaW5mbyI6eyJjbGFpbXMiOnsibmFtZSI6bnVsbCwibmlja25hbWUiOnsib3B0aW9uYWwiOn
RydWV9LCJlbWFpbCI6bnVsbCwidmVyaWZpZWQiOm51bGwsInBpY3R1cmUiOnsib3B0aW9uYW
wiOnRydWV9fX0sImlkX3Rva2VuIjp7Im1heF9hZ2UiOjg2NDAwLCJjbGFpbXMiOnsiYWNyIj
p7InZhbHVlcyI6WyIyIl19fX19.ou2Yc1B9a5iZLqbzBxE95aNS0pSfRClCqM77n85ehGo
The contents of the request parameter would be a JWT serialized JSON object
{
"response_type": "code%20id_token",
"client_id": "s6BhdRkqt3",
"scope": "openid",
"userinfo":
{
"claims":
{
"name": null,
"nickname": {"optional": true},
"email": null,
"verified": null,
"address": null,
"http://schema.com/payment_info": null,
"http://schema.com/credit_score"": {"trust_framework":"some just framework", "signed":true},
}
},
}
Durring client registration you set the signature format for the user info response. The signature on the attribute would be requested as a defined parameter for that attribute.
Any claims outside of the base set must come from a collision resistant namespace, so URI mostly.
You could have asked for the address and the other default info by using scopes. Claims in scopes are optional.
Claims are required unless you set the optional attribute. So name etc are required claims, if they can't be provided you will get back an error.
I made up some likely parameters for your claims. You may only want them from providers that be lone to some trust framework, You may also want the individual claim signed by its issuer.
John B.
> <UMA_basket_v01.pdf>_______________________________________________
> WG-UMA mailing list
> WG-...@kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma
- Rainer
If you ask for the profile scope you are asking for birthday as a optional claim in a basket of optional claims.
You can use the request object if you want a subset of that bucket or you want the claim to be required.
John
Domenico
This is exactly the use case I would need to satisfy to use UMA for
the CommIT project. In my case, various sources of student attributes
(Testing agencies, various school transcripts, financial aid records,
letters of references), keyed to each other by a unique student
identifier provided by a central identity provider, may each need
permission to release selected records to create a complete college
application.
- --
Arnie Miles
Middleware Architect; Office of the Principal Technologist
Adjunct Assistant Professor of Computer Science
Georgetown University
3300 Whitehaven Street NW
Washington, DC 20007
202.687.9379
http://code.google.com/p/thebes/
"One must still have chaos in oneself to be able to give birth to a
dancing star."
Friedrich Nietzsche
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFPIXRglHilDOPbHk0RAndzAJ4n6ty+LdDboX4TxKts/+MICIYg4wCdEFqX
ESPGw3Cpp2rRpiz/qId+qKo=
=IWLX
-----END PGP SIGNATURE-----
Eve
> <adm35.vcf>_______________________________________________
> WG-UMA mailing list
> WG-...@kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma
Eve Maler http://www.xmlgrrl.com/blog
+1 425 345 6756 http://www.twitter.com/xmlgrrl