Camara OIDC profile - Githubissues

camaraproject / IdentityAndConsentManagement

Repository to describe, develop, document and test the Identity And Consent Management for CAMARA APIs

Apache License 2.0

21 stars 30 forks source link

Camara OIDC profile #121

Closed AxelNennker closed 4 months ago

AxelNennker commented 7 months ago

What type of PR is this?

Add one of the following kinds:

documentation

What this PR does / why we need it:

By restricting options the OIDF and IETF standards offer this document improves CAMARA security and interoperability. The CAMARA Security and Interoperability document follows the path FAPI 2.0 Security took, leading to a concise description which helps implementers focusing on those parts of the standards that are required or recommended.

Which issue(s) this PR fixes:

Fixes #78 Fixes #82 Fixes #87 Fixes #90 Fixes #100 Fixes #104
Fixes #127 Fixes #132 Fixes #133 Fixes #136 Fixes #137

hdamker commented 5 months ago

As already stated several times, DT would prefer to don't use the option where purpose and scope are mixed within the scope parameter. We would be obviously ok with both option 3 and 4, but agree with Orange that option 3 isn't covered by any standard and that the risk to collide with a later standardisation of the parameter. Therefore the preference is option 4, as "authorization_details" is already an IANA registered parameter for requests and tokens. Together with a strong limitation to use the parameter only to transport a single parameter.

hdamker commented 5 months ago

Thanks to all who participated in the discussion call today, and thanks for Axel for documenting the outcome in https://github.com/camaraproject/IdentityAndConsentManagement/pull/121/commits/daf26d7c4642576d8583df46277ad7865968bd95

As DT we are fine with the result, which is using option 1 (purpose as a scope value) for the current version, and looking forward how we can leverage potentially "authorization_details" for more complex use case in later releases.

hdamker commented 5 months ago

@eric-murray @sfnuser @palmerabollo @izahirclemencia @Elisabeth-Ericsson @bigludo7 @sebdewet Sorry for spamming, but as the GitHub messages about my "requested review" and "removed request" are looking strange I want shortly confirm that your final reviews are requested now, after we agreed in smaller round today on the "Option 1" as the solution for the purpose topic.

AxelNennker commented 4 months ago

Please review (and approve)