Skip to Content.
Sympa Menu

oidc-survey - Re: Quick notes from today's OIDC Survey meeting

Subject: OIDC Survey Working Group

List archive

Re: Quick notes from today's OIDC Survey meeting


Chronological Thread 
  • From: Alan Crosswell <>
  • To: Patrick Radtke <>
  • Cc: Eric Goodman <>, "" <>
  • Subject: Re: Quick notes from today's OIDC Survey meeting
  • Date: Fri, 30 Sep 2016 13:49:40 -0400
  • Ironport-phdr: 9a23:FA5axx1WE4r1OpmMsmDT+DRfVm0co7zxezQtwd8ZsegWLPad9pjvdHbS+e9qxAeQG96Eu7QZ0KGP7ujJYi8p39WoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6lX71zMZGw3+OAxpPay1X9eK14Xkn9y1rqXafx9Jjzn1W7p+MBa75VHJv9UMgIBhAq0w0AHUuXpEduJKxH95Y1mUmkCvyN23+ctK9y1W89k78NVbTqj+e+xsRLhRChwtNGQo4cfqvF/OQRbZtShUaXkfjhcdW1uN1xr9RJqk93Ki7uc=

Oh, and OAuth/OIDC are *easy to use*. SAML seems like you always have to get the "SAML guy" to help set things up. May be perception vs. reality....

There must be something to OAuth2 given all the API providers are using it.
/a

On Fri, Sep 30, 2016 at 1:47 PM, Alan Crosswell <> wrote:
OIDC (or just plain OAuth 2.0 and RFC7662 Introspection) doesn't just provide the remote user identity but also the approved scopes that that user has allowed.

OAuth allows for authorizing a 3rd-party app to access resources from an RP on behalf of the user. the SAML case (at least to someone who doesn't understand this stuff well like me) is more of a an app and the RP being combined. Am I making sense? I've been getting kicked in the head by a mule for while;-)

/a

On Fri, Sep 30, 2016 at 1:32 PM, Patrick Radtke <> wrote:
On Fri, Sep 30, 2016 at 10:12 AM, Eric Goodman <> wrote:
> Maybe beyond the scope of this survey, but I’m wondering if the AAF approach
> presented is a good model: standardize the communication between the proxy
> and the application and put support for that layer of communication in the
> various application libraries, but still leave the protocol handling outside
> of the application.

I was expecting the majority of use cases to be driven by mobile apps
and API access. For mobile - proxying and REMOTE_USER aren't going to
be available as options. For API access, there may be some
possibilities - similar to how people off load token validation to an
API gateway - however fine grain access decisions need knowledge of
both the data being acted on, the user, and the scopes present in the
token and that is only exists within the app, and not at the api
gateway or proxy level.

I wonder, if the proxy approach *is* suitable then why are certain
groups wanting OIDC? From their application's perspective REMOTE_USER
is getting set whether it was a SAML authentication or OIDC. Is it
that the SAML SP on boarding process for their institution is
cumbersome/hard to understand/not cool/takes weeks/etc? Or is there
something fundamental about what they want to do that makes the proxy
not suitable?

-Patrick



--
Alan Crosswell
Assoc. VP & CTO




--
Alan Crosswell
Assoc. VP & CTO




Archive powered by MHonArc 2.6.19.

Top of Page