On 6/13/2014 10:21 AM, Anil Saldhana wrote:
On 06/12/2014 12:22 PM, Phil Hunt wrote:
One of the use cases is to return only a token that is NOT an access
token and is only an authentication assertion that is not opaque to
the client.
A key concern is clients do not always want to ask users for consent
to access their profiles or any other resource. They just want
authentication.
How many times do we see things like login with Yahoo, Twitter,
Facebook and they apparently want access to too much information?
I’ve got lots of web site developers who don’t want that because it
looses registrations as a significant percentage of users always
refuse. These developers just want an authn ctx and the easy-sign-on
benefits.
If the developers want just the authentication context and not the
entire details about the user from providers such as Facebook, can we
just not ask with an appropriate scope for the provider? Something like
scope=username or scope=useremail. When the provider gives the data,
then it is understood that there was authentication and some user consent.
OpenID Connect already has this defined:
http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
