Scope

From MgmtWiki
Revision as of 20:32, 18 August 2018 by Tom (talk | contribs) (Solution)

Jump to: navigation, search

Full Title or Meme

A request for Claims is a Scope.

Context

Claims typically go through a series of steps, for example:

  1. A User will go to a Web Site hosting a Resource that the user wants to access.
  2. The Web Site will send a collection of Scopes to a User asking for Claims to authorize access.
  3. The User Agent should know, a priori, where to send the Claims for verification.
  4. The verified claims will be collected and forwarded to the Web Site.
  5. The Web Site will evaluate the verified claims and determine whether to authorize access to the resource.
  6. Optionally the Web Site will request additional claims to meet the needs to authorize access.


  • In computer networking a variety of statements can be made by a user to acquire authorized access to a resource.
  • The distinction as to Authentication, who a user is, versus Authorization, or what that user is permitted to do, is no longer helpful.
  • NIST has recognized that there are multiple metrics for the quality of statements about a user in their third update to SP 800-63
  • Claims can be highly detailed, do to data fields, or a collection of fields, like the User address, this can be overwhelming if presented for User Consent. Some protocols, like OpenID Connect provide for aggregated collections of claims that OpenID calls Scope.[1]

Solution

Here will we describe the scopes available from OpenID Connect as a good example.


Name Type Cat Notes
openid Attribute driver's license Informs the Authorization Server that the Client is making an OpenID Connect request. If the openid scope value is not present, the request MUST NOT be treated as an OpenID Connect request. The openid value also requests that the ID Token associated with the authentication session be returned. If the response_type includes token, the ID Token is returned in the Authorization Response along with the Access Token. If the response_type includes code, the ID Token is returned as part of the Token Endpoint response. This scope value requests access to the user_id Claim at the UserInfo Endpoint.
profile This requests that access to the End-User’s profile Claims excluding the address and email Claims at the UserInfo Endpoint be granted by the issued Access Token.
email UAF U2F This requests that access to the email and verified Claims at the UserInfo Endpoint be granted by the issued Access Token.
address UMA This requests that access to address Claim at the UserInfo Endpoint be granted by the issued Access Token.
phone AuthZ This requests that access to the phone_number Claim at the UserInfo Endpoint be granted by the issued Access Token
phone validated AuthN+AuthZ OpenID Connect more significant for AuthN
SAML AuthN SAML2
Univ. of MD IDEF registered

References

  1. Nat Sakimura Scopes and Claims in OpenID Connect https://nat.sakimura.org/2012/01/26/scopes-and-claims-in-openid-connect/
Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Scope&oldid=2484"