1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Allow for alternative AuthZ flows

Issue #1359 new
Thomas Bellebaum created an issue

Aggregated Claims may serve as attestation of claims to a generic class of identities. These identities may be users that are capable of following an OIDC Authorization flow, but they may also add identities to e.g. devices registered as clients to the IA.

Therefore, we should clearly separate the following two phases and their purposes:

  • Setup Phase Establishing the IA-known identity (e.g. a legal entity) on behalf of which claims are issued, as well as ensuring consent of that entity.

  • Delivery Phase Binding aggregated claims to a (possibly purpose-bound, freshly generated) IdA-chosen identity (e.g. a DID).

This approach has the advantage that we do not necessarily rely on the OIDC Authorization flow for the setup phase. Devices wishing to have their claims attested by an IA may use e.g. the client_credentials grant type to gain an access token at the token endpoint and may then use this token at the claims endpoint.

Comments (4)

  2. Thomas Bellebaum reporter

    I am not entirely sure I understand your comment. The idea was to extend the possibilities to issue e.g. Verifiable Credentials given by the draft to non-people. This communication should never involve a SIOP, wallet etc. acting as an OP, but rather as a subject and, in many cases, a RP. The communication endpoint would usually be a trusted non-SIOP OP which could issue credentials to the e.g. wallet for it to show a data-minimized presentation to a requesting party demanding proof of the wallet’s identity.

    The write-up seems to deal mostly with credentials for “people”. Please correct me if I am wrong.

  3. Tom Jones

    Yeah, I guess that non human interactions seemed out-of-scope to me. Perhaps that’s the discussion that needs to happen.

  4. Thomas Bellebaum reporter

    I have made some necessary changes in this fork, if anyone is interested in checking out how much (or not much at all) would have to be changed in order to support non-human identities in this draft.

    I would file a Pull Request to thoroughly discuss this, but need to wait for company approval before I may sign the Intellectual Property and Contribution Agreements.

  5. Log in to comment
Assignee
Type
enhancement
Priority
major
Status
new
Component
Claims Aggregation
Milestone
Version
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!