Menu
▾
▴
[Unity-idm-discuss] Addition to OAuth2/OIDC tokens
|
From: Sander A. <sa....@fz...> - 2022-02-15 14:26:14
|
Hello Krzysztof, hello Roman, since our connected SPs are growing we do get further feature request, which I want to share with you. The first one is a possibility to change the aud of a registered client. At the moment unity uses the registered username of the OIDC client, which is fine according to the RFC. But there are connected services which does the audience use, too. In this specific use-case the token was generated by the user using the oidc-agent tool [1]. The generated token was send via an API to dCache which validates the token. dCache is also checking the audience and rejects all token having an unsupported audience. The OIDC agent has an option the request a specific aud value for the token and forwards this request to the AS. Together with the request users showed us examples where Indigo IAM do support this. Would it possible to implement this unity, too? The second request we got is about user attributes within the token. The user, who made the request told us that the targeted software does not support requests to userinfo endpoint and does not keep consistent information about the user. For this they need information about the user in the token itself. I got the friendly hint that WLCG does it in this way. We already talked in the past about the possibility to add own claims. Maybe the better solution would be supporting the request parameter to allow SPs to request the needed claims itself instead of adding some claims in general. Would this be an option for unity? If you want we could discuss this request more detailed. Best regards, Sander [1]: https://indigo-dc.gitbook.io/oidc-agent/ -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
