HI Steinar, > On 22. Apr 2019, at 10:38, Steinar Noem <[email protected]> wrote: > > Hi Torsten, thank you for writing this clarifying article :)
Pleasure :-) > > In the health sector in Norway we are facing similar challenges regarding the > need for contextual information. > At the time, our planned solution is to package this information as custom > claims in request objects - e.g.: “helse:client/claims/xxxx”, and do not forget: claims in a request object means you force your client and AS to turn on OpenID Connect for your requests (scope openid, ID Token, ...) even if you “just” want to authorise API access. > but after reading your article I realize that the structured scope approach > makes a lot more sense and, as you stated in the article, pushing the request > objects mitigates the issues with request-size and complexity on the client > side. > In our case we may also have a requirement to encrypt the pushed request > object due to potential sensitive content. TLS is not enough? kind regards, Torsten. > > - Steinar > > > lør. 20. apr. 2019 kl. 20:21 skrev Torsten Lodderstedt > <[email protected]>: > Hi all, > > I just published an article about the subject at: > https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948 > > > I look forward to getting your feedback. > > kind regards, > Torsten. > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth > -- > Vennlig hilsen > > Steinar Noem > Partner Udelt AS > Systemutvikler > > | [email protected] | [email protected] | +47 955 21 620 | www.udelt.no | _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
