RISC – Working Session

From IIW

RISC working sessions

Tuesday 4A, Wednesday 4A & 5J, Thursday 3A

Convener: Annabelle Backman and Marius S

Notes-taker(s): Annabelle Backman

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

The following notes are for all four OIDF RISC working group sessions across all three days of IIW #25:  

SET Subject

Ways to Identify a Subject

Base URI for subject type: http://schemas.openid.net/secevent/risc/subject-type/

  • iss and sub only

{  "risc_subject": {    "type": "http://schemas.openid.net/secevent/risc/subject-type/iss-sub",    "iss": "https://idp.example.com/",    "sub": "123abc",  }  ... }

  • email only

{  "risc_subject": {    "type": "http://schemas.openid.net/secevent/risc/subject-type/email",    "email": "foo@example.com",  }  ... }

  • phone number only

{  "risc_subject": {    "type": "http://schemas.openid.net/secevent/risc/subject-type/phone_number",    "phone_number": "+99-123-456-7890",  }  ... }

  • email hash only

{  "risc_subject": {    "type": "http://schemas.openid.net/secevent/risc/subject-type/email_hash",    "email_hash": "xyz",    "hash_alg": "CRC",  }  ... }

  • phone number hash only

{  "risc_subject": {    "type": "http://schemas.openid.net/secevent/risc/subject-type/phone_number_hash",    "phone_number_hash": "xyz",    "hash_alg": "CRC",  }  ... }

  • iss + sub and email and phone number merged

{  "risc_subject": {    "type": "http://schemas.openid.net/secevent/risc/subject-type/id-token",    "iss": "https://idp.example.com/",    "sub": "123abc",    "email": "foo@example.com",    "phone_number": "+99-123-456-7890",  }  ... }

  • iss + sub and email and phone number as array

{  "risc_subject": [    {      "type": "http://schemas.openid.net/secevent/risc/subject-type/iss-sub",      "iss": "https://idp.example.com/",      "sub": "123abc",    },    {      "type": "http://schemas.openid.net/secevent/risc/subject-type/email",      "email": "foo@example.com",    },    {      "type": "http://schemas.openid.net/secevent/risc/subject-type/phone_number",      "phone_number": "+99-123-456-7890",    },  ]  ... }

  • iss + sub and email and phone number as map elements

{  "risc_subject": {       "http://schemas.openid.net/secevent/risc/subject-type/iss-sub": {           "iss": "https://idp.example.com/",             "sub": "123abc",       },       "http://schemas.openid.net/secevent/risc/subject-type/email": {            "email": "foo@example.com",       },       "http://schemas.openid.net/secevent/risc/subject-type/phone_number": {             "phone_number": "+99-123-456-7890",       },  }  ... }

  • risc_subject and optional risc_subject_alt

{  "risc_subject": {    "type": "http://schemas.openid.net/secevent/risc/subject-type/iss-sub",    "iss": "https://idp.example.com/",    "sub": "123abc",  },  "risc_subject_alt": [    {      "type": "http://schemas.openid.net/secevent/risc/subject-type/email",      "email": "foo@example.com",    },    {      "type": "http://schemas.openid.net/secevent/risc/subject-type/phone",      "phone": "+99-123-456-7890",    },    ...  ],  ... }  

We will use risc_subject (single object) and risc_subject_alt (optional array) to represent subjects in SETs.  

Nested Subject

{  "iss": "https://idp.example.com",  "risc_subject": {    "type": "http://schemas.openid.net/secevent/risc/subject-type/id-token",    "iss": "https://tr.example.com/",    "sub": "7375626A656374",    "phone_number": "+99-123-456-7890",  }  ... }  

Top Level

Allowed if no iss conflict.  

Implied subject type: "type": "http://schemas.openid.net/secevent/risc/subject-type/id-token"   {  "iss": "https://idp.example.com",  "sub": "7375626A656374",  "email": "foo@example.com",  ... }  

'Single vs. Multiple Events

  • RISC only needs one event per SET. Unknown attributes within an event body MUST be ignored.
  • Three use cases for multiple events presented and discarded:
    • Extensions: Event extensions will define new attributes directly within the event body. Anyone implementing a proprietary extension will be responsible for avoiding collisions for themselves.
    • Aliases: For migration purposes, a transmitter can send the same event twice, under both the old and new name.
    • Related Events: The SET transaction ID can be used to relate multiple events together, even if they are in different SETs. This behavior is necessary even if multiple events per SET are supported, as there is no guarantee that related events will be transmitted together.
    • Instead of a single risc_subject array, RISC will use two claims in the SET, risc_subject and risc_subject_alt:

Required Subject Types

  • Stream config API will have a subject_types array, identifying which subject types are to be used within SETs transmitted on the stream.
    • Meaning is unclear. Does [iss+sub, email] mean all events have both? Would [iss+sub] mean that Amazon always gets iss+sub even though we enroll using email?
  • Implementers MAY allow receivers to edit the subject_types array to remove subject types that they do not want to receive in SETs.
  • In order to indicate to callers whether all requested changes were supported and accepted, stream config update responses will indicate one of the following:
    • The entire change was accepted.
    • The entire change was rejected.
    • Some of the change was accepted, but one or more requested changes were rejected due to not being supported by the implementation.