Hi Johann, The limitation I can see with the current implementation is, if we define all the scopes in the federated IDP configuration , every time IDP will tend to send all the claims mapped to the requested scopes. If we have a scope mapping between IS and OP, then we can restrict requesting only the mapped scopes from the external IDP.
@Johann Nallathamby <[email protected]> Do you have see any other concerns? So we can overcome that limitation with the suggested approach. Thanks, Hasanthi On Fri, May 31, 2019 at 9:43 AM Asela Pathberiya <[email protected]> wrote: > > > On Fri, May 31, 2019 at 7:58 AM Johann Nallathamby <[email protected]> > wrote: > >> *Problem* >> >> When we federate to other OpenID Connect Providers, we can send scope >> values. However, currently the scope values are fixed per OP we define in >> IS. This works fine if the service provider is not a OpenID Connect RP or >> an RP not requesting scopes. If we are to support different scope >> combinations that can be requested by different RPs, it is not scalable to >> define individual OP configurations for each scope combination. >> >> *Solution* >> >> We must support scope mappings, so that we can map a set of scopes >> requested by the RP to another set of scopes supported by the OP. This way >> we don't need to create multiple OP configurations to support different >> scope combinations requested by different RPs. >> >> What are your thoughts on this? >> > > I am just wondering why does RP need to send different scopes to federated > IDP ? Is it just to retrieve different attributes from id_token or > userinfo attributes based on RP ? If it is not, is there any other use > cases ? > > Thanks, > Asela. > > >> >> Thanks & Regards, >> Johann. >> >> -- >> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | >> WSO2 Inc. >> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) [email protected] >> [image: Signature.jpg] >> > > > -- > Thanks & Regards, > Asela > > Mobile : +94 777 625 933 > > http://soasecurity.org/ > http://xacmlinfo.org/ > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- Hasanthi Dissanayake | Senior Software Engineer | WSO2 Inc. (m) +94718407133 | (w) +94112145345 | Email: [email protected]
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
