Privacy consideration - "replay of long term grants at AS"
Discussion under consent here: https://bitbucket.org/openid/fapi/pull-requests/187
We have this clause: “should clearly identify long-term grants to the user during authorization as in 16.18 of OIDC; and”
But there is a suggestion that we have something in the privacy considerations, maybe….
(Data misidentification by User at RP) User could misunderstand the data they are releasing to the RP, so best practice is for the AS to make clear what data will be released to the RP.
I’m not happy with the wording, but its a start.
Comments (9)
-
reporter -
In regards to the original clause..
Is it only applicable to “long-term” grants?
“should clearly identify the details of the grant to the user during authorization as in 16.18 of OIDC; and”
In regards to the suggestion for privacy considerations: Not sure what is the best way to put it, but it’s not just about user misunderstanding, right? We are trying to address the mismatch between user’s understanding or what RP is displaying to a user and the actual authorization request.
(Mismatch between User’s understanding or what RP is displaying to a user and the actual authorization request). To enhance the trust of the ecosystem, best practice is for the AS to make clear what is included in the authorisation request (for example, what data will be released to the RP).
Not the perfect wording but another option.
-
Agreed. It is not only for long-term grants.
One of the thing that AS can do but not the Client is to provide the actual value that is being provided to the Client. Thus, as the project leader of privacy notice and consent standard (ISO/IEC 29184), I would advocate it. It provides a really good list of what is need to be done at the data controller that is providing data.
-
reporter - changed status to resolved
-
reporter - changed status to open
-
- changed status to resolved
-
- changed component to Part 2: Advanced
-
- changed component to FAPI 1 – Part 2: Advanced
-
- changed component to FAPI 1: Advanced
- Log in to comment
@Ralph Bragg