What if…. UMA RPT was an OpenID Connect Access Token?
What if…UMA RPT Was An OpenID Connect Access Token?
Wednesday 1D Convener: Mike Schwartz
Notes-taker(s): Mike Schwartz
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Mike Schwartz of Gluu provided a high level overview of UMA and OpenID Connect.
The idea he proposed was what if an UMA RPT token could be used to protect the OpenID Connect user_info endpoint, instead of an OpenID Connect access token. He posted a similar idea here http://gluu.co/oauth-identity
George Fletcher of AOL suggested that this might not be necessary, because perhaps you could use OAuth2 to issue all the necessary scopes, and then use the refresh token to downscope the token to the required OpenID Connect scopes. However, that aside, it still seems like OpenID Connect falls a little short for this purpose: providing a solution for distribute user claims aggregation.
There seemed to be consensus that this might not be a bad idea. However, it would not be the user_info endpoint, but a similar endpoint that also provides user claims (but is not the user_info endpoint).
Unfortunately however, Mike pointed out that he doesn't have time to embark on such an effort. But maybe someone else does?