[jira] [Commented] (FEDIZ-203) Support "roles" scope

Wed, 12 Jul 2017 07:49:14 -0700 

    [ 
https://issues.apache.org/jira/browse/FEDIZ-203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16084076#comment-16084076
 ] 

Sergey Beryozkin commented on FEDIZ-203:
----------------------------------------

Hi Jan, I've applied the Fediz related changes, taking some of your code:

1. Having a single list tracking the requested claims via the "claims" 
parameter and the scope to claims mappings is a nice idea so that is in - I 
added a comment that OidcUtils.getScopeClaims() does the mapping between the 
*standard* scopes and the claims
2. FIRST_NAME, LAST_NAME, and NAME are still added by default - I'd say T. IAM 
may need them, and without them IdTokens would be useless for any client 
application hoping to interact with the authenticated users. As I mentioned 
Google reports them too. You are right technically these claims are part of the 
standard "profile" scope but it is really up to the discretion of the given 
OIDC service which can be reported by default. However, I did remove reporting 
the phone, home address, etc by default - I guess it can be reasonable indeed 
require a client to request these claims via an explicit "profile"/etc standard 
scopes if required, or via the individual "claims" parameter values.

3. Roles - the code is left more or less intact to make sure that the service 
configuration can be checked that returning the roles is supported and that the 
configured role claim name is used. The mapping between the 'roles' scope is 
explicit in the code, we should probably generalize it later on to have a map 
of String to List of String property to support the custom scopes to roles...

Hope it looks all right to you and Colm


> Support "roles" scope
> ---------------------
>
>                 Key: FEDIZ-203
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-203
>             Project: CXF-Fediz
>          Issue Type: New Feature
>          Components: OIDC
>            Reporter: Jan Bernhardt
>            Assignee: Jan Bernhardt
>             Fix For: 1.4.1
>
>         Attachments: cxf.patch, fediz.patch
>
>
> OIDC currently only supports role claims if they are requested as "claims" 
> but not via "scope". Goal of this jira issue is to add support for a "roles" 
> scope.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to