Menu
▾
▴
Re: [Unity-idm-discuss] Claims in id token
|
From: Marcus H. <ha...@ki...> - 2022-03-08 14:48:24
|
Hi There, one note on this: if there is only a `scopes`, and no `scopes_at` in the request, one could default to putting the same scopes into the AT and in the userinfo. I think then it's least painful to introduce this. M. On 08. Mar 2022 07:20, Sander Apweiler wrote: > Good morning Krzysztof, > sorry for the delay. I had this still on my agenda. I think this would > work, too. > > I fully understand that the request of individuell claims is a lot of > work with very few usage. > > Cheers, > Sander > > On Mon, 2022-03-07 at 15:31 +0100, Krzysztof Benedyczak wrote: > > hi, > > > > W dniu 01.03.2022 o 17:06, Krzysztof Benedyczak pisze: > > > Hi, > > > > > > W dniu 01.03.2022 o 09:46, Sander Apweiler pisze: > > > > Good morning, > > > > > > > > a short addition. It is not only the oidc-agent witch has a > > > > problem > > > > with the token size. EUDAT B2SAFE has it as well because they use > > > > the > > > > token as password in iRODS and this has also limitations in size. > > > > > > > > And yes the most problems for switching the scopes would be for > > > > the > > > > users of the oidc-agent. Because all other set them once. > > > > > > So maybe after all a proprietary request flag saying "add all > > > claims > > > to JWT AT"? Proprietary, but also dead simple and addressing your > > > use > > > cases in a direct way. > > > > Sander, any opinions here? > > > > Wrt to Marcus proposal, the name of the parameter can be "scopes_at" > > (or > > alike). > > > > That said I'm very doubtful whether this should go inside the > > 'claims' > > request parameter. Which as spec says is to request individual claims > > and would be counter intuitive to use it for specifying which scopes > > should go to AT (and we would need to support the base spec, which is > > kinda "ton of work and no one will use it"). > > > > Best, > > Krzysztof > > > > -- > Federated Systems and Data > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Volker Rieke > Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), > Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, > Prof. Dr. Frauke Melchior > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > > -- Marcus. |
