Hi Hasanthi, Yes this is the issue. And also what are we going to show in the consent page to the user? There is no real purpose to collect some attributes for some applications. Asking for overly broad consent is a GDPR consent guideline violation as well.
Thanks & Regards, Johann. On Fri, May 31, 2019 at 11:35 AM Hasanthi Purnima Dissanayake < hasan...@wso2.com> wrote: > Hi Johann, > > The limitation I can see with the current implementation is, if we define > all the scopes in the federated IDP configuration , every time IDP will > tend to send all the claims mapped to the requested scopes. If we have a > scope mapping between IS and OP, then we can restrict requesting only the > mapped scopes from the external IDP. > > @Johann Nallathamby <joh...@wso2.com> Do you have see any other concerns? > > So we can overcome that limitation with the suggested approach. > > Thanks, > Hasanthi > > > > On Fri, May 31, 2019 at 9:43 AM Asela Pathberiya <as...@wso2.com> wrote: > >> >> >> On Fri, May 31, 2019 at 7:58 AM Johann Nallathamby <joh...@wso2.com> >> wrote: >> >>> *Problem* >>> >>> When we federate to other OpenID Connect Providers, we can send scope >>> values. However, currently the scope values are fixed per OP we define in >>> IS. This works fine if the service provider is not a OpenID Connect RP or >>> an RP not requesting scopes. If we are to support different scope >>> combinations that can be requested by different RPs, it is not scalable to >>> define individual OP configurations for each scope combination. >>> >>> *Solution* >>> >>> We must support scope mappings, so that we can map a set of scopes >>> requested by the RP to another set of scopes supported by the OP. This way >>> we don't need to create multiple OP configurations to support different >>> scope combinations requested by different RPs. >>> >>> What are your thoughts on this? >>> >> >> I am just wondering why does RP need to send different scopes to >> federated IDP ? Is it just to retrieve different attributes from >> id_token or userinfo attributes based on RP ? If it is not, is there any >> other use cases ? >> >> Thanks, >> Asela. >> >> >>> >>> Thanks & Regards, >>> Johann. >>> >>> -- >>> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect >>> | WSO2 Inc. >>> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com >>> [image: Signature.jpg] >>> >> >> >> -- >> Thanks & Regards, >> Asela >> >> Mobile : +94 777 625 933 >> >> http://soasecurity.org/ >> http://xacmlinfo.org/ >> _______________________________________________ >> Architecture mailing list >> Architecture@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > > Hasanthi Dissanayake | Senior Software Engineer | WSO2 Inc. > (m) +94718407133 | (w) +94112145345 | Email: hasan...@wso2.com > > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com [image: Signature.jpg]
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
