Specify the fields API #668
Conversation
|
Thanks @TallTed, addresssed your comments. |
|
Discussed in 19 Nov 2024 WG call minutes. Not yet resolved. |
|
I addressed TallTed's comments. |
|
I have updated the PR to make it optional for a user agent to show a disclosure text/permission prompt. |
|
I've now also added a note that IDPs should support continue_on. |
|
Discussed at Jan 7 meeting minutes |
|
Because this came up in the meeting -- if a user agent does not (want to) support this feature, then it would not "support[] showing a permission prompt" and would not fall into the "MUST" cases for the UI. That was at least the intention, if I missed a case please do point it out! |
| is defined, and the |provider|'s {{IdentityProviderConfig/clientId}} is not in the list of | ||
| |account|["{{IdentityProviderAccount/approved_clients}}"], then the user agent MUST display | ||
| the |metadata|["{{IdentityProviderClientMetadata/terms_of_service_url}}"] link. | ||
| 1. The user agent MUST prompt the user for permission to share the data in |fields|, |
There was a problem hiding this comment.
Does this force the display of a dialog with these fields shown?
There was a problem hiding this comment.
No because line 1380 makes this step only apply if the user agent supports showing a permission prompt.
There was a problem hiding this comment.
Ah I missed that because tabs are hard and that line was broken up in the diff. 👍
There was a problem hiding this comment.
The autogenerated "Diff" link (in the initial comment in the PR) may be helpful for cases like this
|
I realise 'fields' are meaningful parts of data structures, but the naming seems less obvious to an IdP. They sound more specifically like 'requested (identity) attributes/claims'. Would it be worth looking at the naming of this, at least when it is POSTed to the assertions endpoint. I guess overlapping with OIDCs use of Scopes, and SAML's use of RequestedAttributes. |
I think the closest to |
|
Thanks, @samuelgoto. That's a good point about being protocol agnostic. From an identity perspective, my understanding is that the RP will request certain attributes, and those are returned as verified (by the IdP) claims or assertions about the subject (user in most cases). I guess this pops up across the Identity and Access landscape in different guidelines and specifications e.g. LDAP, SAML, SCIM, OIDC, NIST SP800-63('Access to the service requires a defined list of attributes'), NIST SP800-63c('The federation transaction can also provide the RP with a set of identity attributes'), and so on. I personally wouldn't oppose reusing an existing term here, but I am not very familiar with alignment to the HTML specification, so maybe 'fields' is best. |
SHA: 3f25d0d Reason: push, by npm1 Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
SHA: 3f25d0d Reason: push, by pull[bot] Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Bug: w3c-fedid/custom-requests#4
Preview | Diff