Mike Schwartz’s Post

View profile for Mike Schwartz

Gluu Founder / CEO

"OpenID Provider Commands" is a new proposed protocol via Dick Hardt and Karl McGuinness which introduces a mechanism for delivering backchannel "command tokens" (a JWT) that allows an OpenID Provider (OP) to send the following messages to an OpenID Relying Party (RP): 🔑 Activate an account 🔄 Maintain an account ⏸️ Suspend an account 🔓 Reactivate an account 📦 Archive an account ♻️ Restore an account ❌ Delete an account 🚫 Unauthorize an account Here is a link to a very early draft: https://lnkd.in/gRZKb5nJ I wonder if a solution similar to OAuth Status List JWT could be used to singal the notifications? The OP issues some kind of long-lived JWT about the account? The RP periodically checks the status list JWT to see if there is a change to the account JWT? In OAuth Status list, you can use 8 bits to signal these changes, which aligns with the current proposed OpenID Provider Commands. Thoughts: Christian Bormann , Paul Bastian , Tobias Looker ? BTW, draft-07 hot off the presses: https://lnkd.in/gU4tKaHD OpenID Provider Commands Contribution (start of rabbit hole) https://lnkd.in/gj_FpkFt

More specificly, here is my idea... 1. A new long lived JWT is returned to the RP called "account-status-token". Just to keep the numbers easy, let's say this account JWT has a status address 1000-1007. 2. When the IDP wants to send a message to the RP, it changes bits 1000-1007 depending on the kind of event (per your 8 suggested items). While the simplest status list deployments use just one bit for token status, the spec allows more bits for signaling. 3. The RP can always retrieve the latest Status JWT per the respective AS .well-known address for the status endpoint. The RP should always refresh the status token for high value transactions. Potentially, the RP can refresh the status more quickly then even access token expiration, as the status list is very small. 4. In this way, you can avoid having to push messages to the RP. Plus I think it's more bandwidth and connection efficient. When I saw the contribution to Shared Signals, I realized there could be an easier way.

To view or add a comment, sign in

Explore content categories