Ah, I hadn't considered the OpenId Connect/claims connection. At one point we actually considered using the private_key_jwt client secret to transport "claims" from the client to the AS - so we were happy to learn about the JAR spec.
In my opinion TLS is good enough, but some security analysts and data protection officers in the health sector may not agree with me :) Our main use case for OAuth is interoperability between businesses on a national level (hospitals, primary health care etc), where a health personel requests information about a patient in a different legal entity (business) than where they are employed. It's a complex domain, in certain cases the combination of two personal identifiers can be considered sensitive alone (e.g. a psychiatrist and patient combination). But, we have seen a "softening" of the requirements for confidentiality - so hopefully signatures will be sufficient.. - S man. 22. apr. 2019 kl. 18:29 skrev Torsten Lodderstedt < [email protected]>: > HI Steinar, > > > On 22. Apr 2019, at 10:38, Steinar Noem <[email protected]> wrote: > > > > Hi Torsten, thank you for writing this clarifying article :) > > Pleasure :-) > > > > > In the health sector in Norway we are facing similar challenges > regarding the need for contextual information. > > At the time, our planned solution is to package this information as > custom claims in request objects - e.g.: “helse:client/claims/xxxx”, > > and do not forget: claims in a request object means you force your client > and AS to turn on OpenID Connect for your requests (scope openid, ID Token, > ...) even if you “just” want to authorise API access. > > > but after reading your article I realize that the structured scope > approach makes a lot more sense and, as you stated in the article, pushing > the request objects mitigates the issues with request-size and complexity > on the client side. > > In our case we may also have a requirement to encrypt the pushed request > object due to potential sensitive content. > > TLS is not enough? > > kind regards, > Torsten. > > > > > - Steinar > > > > > > lør. 20. apr. 2019 kl. 20:21 skrev Torsten Lodderstedt < > [email protected]>: > > Hi all, > > > > I just published an article about the subject at: > https://medium.com/oauth-2/transaction-authorization-or-why-we-need-to-re-think-oauth-scopes-2326e2038948 > > > > > I look forward to getting your feedback. > > > > kind regards, > > Torsten. > > _______________________________________________ > > OAuth mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/oauth > > -- > > Vennlig hilsen > > > > Steinar Noem > > Partner Udelt AS > > Systemutvikler > > > > | [email protected] | [email protected] | +47 955 21 620 | www.udelt.no | > > -- Vennlig hilsen Steinar Noem Partner Udelt AS Systemutvikler | [email protected] | [email protected] | +47 955 21 620 | www.udelt.no |
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
