OIDC Federation for Higher Ed

From IIW

OIDC Federation for Higher Ed

Thursday 4H

Convener: Roland Hedberg

Notes-taker(s): Roland Hedberg

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Roland described four problems that he thought should be addressed before OIDC can be used in a Higher Ed Identity federation.

1) Attributes

The set of attributes provided in the OIDC standard are not sufficient so someone preferably REFEDS (https://refeds.org) should do that.

2) Scopes

A number of scopes should be registered:

a) To signal that Higher Ed attributes are expected from the UserInfo endpoint, this could be named ’edu’

b) scopes that matches the entity categories that are used in Higher Ed identity federations.

3) Allow for semi-static client registration

Right now there are two choices for client registration, static or dynamic. We would like to have something in-between where the RP can send some information (in the form of software statements) during client registration that allows the OP to know who the RP belongs to and what it is allowed to do/see.

4) Allow for off-line verification of ’documents’ that are sent around.

Things like provider configuration, client registration and client/provider keys are now just JSON documents. There ought to be ways of signing these such that anyone disregarding how it was received can verify the correctness of the document.

Discussion followed.