Privacy consideration - "replay of long term grants at AS"

Issue #318 resolved
Dave Tonge created an issue

Discussion under consent here: https://bitbucket.org/openid/fapi/pull-requests/187

We have this clause: “should clearly identify long-term grants to the user during authorization as in 16.18 of OIDC; and”

But there is a suggestion that we have something in the privacy considerations, maybe….

(Data misidentification by User at RP) User could misunderstand the data they are releasing to the RP, so best practice is for the AS to make clear what data will be released to the RP.

I’m not happy with the wording, but its a start.

Comments (6)

  1. Dima Postnikov

    In regards to the original clause..

    Is it only applicable to “long-term” grants?

    “should clearly identify the details of the grant to the user during authorization as in 16.18 of OIDC; and”

    In regards to the suggestion for privacy considerations: Not sure what is the best way to put it, but it’s not just about user misunderstanding, right? We are trying to address the mismatch between user’s understanding or what RP is displaying to a user and the actual authorization request.

    (Mismatch between User’s understanding or what RP is displaying to a user and the actual authorization request). To enhance the trust of the ecosystem, best practice is for the AS to make clear what is included in the authorisation request (for example, what data will be released to the RP).

    Not the perfect wording but another option.

  2. Nat Sakimura

    Agreed. It is not only for long-term grants.

    One of the thing that AS can do but not the Client is to provide the actual value that is being provided to the Client. Thus, as the project leader of privacy notice and consent standard (ISO/IEC 29184), I would advocate it. It provides a really good list of what is need to be done at the data controller that is providing data.

  3. Log in to comment