Il 28/10/2022 12:25, Pawel Kowalik ha scritto:
Am 28.10.22 um 11:35 schrieb Mario Loffredo:
[PK] The text was proposed in the way which does not exclude certain
valid use-cases but still allows the RDAP server to set its own
policy on sharing data.
This is clear that RDAP server is acting as sort of Identity
Provider towards its clients, so the similar considerations about
data sharing shall apply. RDAP server may ask the user for the
consent about sharing PII as well, decision is clearly by the RDAP
server operator.
[ML] Doesn't make sense to me that the RDAP server could operate as
an IdP proxy for RDAP clients. It's already a bit weird that in this
model the RDAP server acts simultaneously as a Relying Party and a
Resource Server but I admit that, when the RDAP client is a browser,
the RDAP server is the only intermediary application between the end
user and the IdP.
Instead of making the RDAP server more complex, the easy way is that,
if an RDAP client needs PII claims for providing the end user with a
better UX or for any other purpose, it should register with an IdP
and ask those claims to that IdP under the end user consent.
[PK] There is quite relevant drawback from this scenario, that there
is no assurance the identity provided to the RDAP client by the IdP
would be the same as the one used towards the RDAP server if there is
no relation. An IdP may hold more than one identity of the same user
and offer account selection in the authorization step.
[ML] Are you meaning that the two accounts are related to the same
user_id? AFAIK, one can use the same user_id (e.g. the mail) for signing
up with different IdPs. Never heard before it happens within the same IdP.
Anyway, even admitting the unusual case that an end user could select
two different identities in two close authentications, why should the
related PII be absolutely the same if they are used for two different
purposes?
Apart from that, based on my interpretation of GDPR, a generic
third-party client application processing the PII coming from the RDAP
server as claims should be authorized by the end user through a specific
request for consent.
This is because the request for consent from the Authorization Server
regards only the server processing.
BTW, if "scope" is optional, should the farv1_openidcConfiguration
object include a "scopeSupported" property?
Best,
Mario
Kind Regards,
Pawel
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
--
Dr. Mario Loffredo
Technological Unit “Digital Innovation”
Institute of Informatics and Telematics (IIT)
National Research Council (CNR)
via G. Moruzzi 1, I-56124 PISA, Italy
Phone: +39.0503153497
Web: http://www.iit.cnr.it/mario.loffredo
_______________________________________________
regext mailing list
regext@ietf.org
https://www.ietf.org/mailman/listinfo/regext
