Survey is being drafted elsewhere

Pardon our dust. The survey questions are being edited by the working group on Google Doc. To see the latest progress, please visit:


Demographic Questions

We want to collect basic demographic data about the survey respondents to help identify any differences in preferences and concerns.

What is your name?


What is your electronic mail address?


What is the name of the institution you represent?


What type of institution do you represent?

  • I represent the main IT office in a higher education institution 
  • I am with an academic department in a higher education institution
  • I represent a research organization
  • I represent a software vendor
  • I represent myself

What region is your institution located?

  • The United States
  • Europe
  • Canada
  • Mexico
  • Asia
  • Africa
  • Central and South America
  • Other _________________________

How is your role in your institution (check all applicable roles)?

  • I am a CIO / Senior IT Manager
  • I am an IT Architect
  • I am an identity management specialist
  • I am a system administrator
  • I am a software developer
  • I am a faculty member
  • I am a student
  • I am a non-technical staff
  • Other. Please specify ___________________

OIDC/OAuth Interests

What is your involvement with OpenID Connect / OAuth 2?

  • We use OpenID Connect/OAuth extensively now
  • We plan to adopt OpenID Connect in the next 1 to 6 months
  • We plan to adopt OpenID Connect in the next 6 to 18 months
  • We are monitoring, but have no concrete deployment plans
  • We are not interested in OIDC

Why are you interested in deploying OIDC/OAuth support? (please check all that apply)

  • I am deploying an application that only supports OIDC/OAuth
  • I need a way to support native mobile application or API authentication/authorization/single sign on needs.
  • A service I am need to integrate with requires OIDC/OAuth
  • I need to integrate with and OIDC/OAuth identity provider (e.g., Google, Twitter, etc.)
  • I choose OIDC/OAuth because it is easy (e.g., support is built into my development stack)
  • I choose OIDC/OAuth because it is secure
  • Buzz. Because everyone is talking about it.
  • Other ______________________________________________________________________ 


Please describe your OIDC/OAuth use case(s). (better way to phrase this?)



Insert use cases here and ask respondents to rank level of interest for each use case. Need much better phrasing of each use case.

The following are some of the already contributed use cases. Please rank your interest in these: 

As a campus API deployer, I would like the applications calling my API to provide proof that the end user has properly authenticated via the campus SSO, and that either the end user or her IDP has authorized the application to access the information my API provides. Further, I would like to validate that the application is registered to invoke my API.

  • I must have this capability
  • I am very interested
  • I am mildly interested
  • I am not interested
  • I am not sure

As a learning management system operator, I would like to integrate my LMS with learning resource providers supporting the Learning Tools Interoperability (LTI) protocol. LTI uses OAuth token-based authentication. I would like my campus SSO to issue OAuth tokens in a way that is compatible with LTI needs.

  • I must have this capability
  • I am very interested
  • I am mildly interested
  • I am not interested
  • I am not sure

Use Case 3: Federation support in OIDC

  • I must have this capability
  • I am very interested
  • I am mildly interested
  • I am not interested
  • I am not sure

Use Case n: ....

IT Decision Maker Focused Questions

Should OpenID Connect/OAuth 2 be built into future Shibboleth or other Internet2 TIER offering?

  • Yes. I am willing to contribute funding and/or resources to make it happen
  • Yes.
  • No.
  • Tell me more. What is TIER?

How important is federation support in OpenID Connect/OAuth?

we likely need to provide a brief explanation of what "federation support" means here.

  • It is essential
  • It is very important
  • It is a nice to have
  • It is not important
  • I am not sure

Developer Focused Questions 

Which Programming Language(s) do you use (check all that apply)?

  • Ruby
  • PHP
  • Java
  • Javascript
  • .Net (C# or VB.Net)
  • Objective C or Swift
  • Python
  • Other _______________________________


Please check the IDE and/or development framework you use (check all that apply).

it occurs to me that if this question is intended to test whether the momentum to support OIDC in the developer community is due to built-in tool support, we might want to ask about the development framework/library they use as well as tools.


  • JetBrains
  • Eclipse
  • Visual Studios
  • NetBeans
  • Komodo
  • Other ________________________________

Additional Questions to be sorted 


  • Who are the actors for this use case?  Are they affiliated with multiple institutions within the federation?
  • Does the use case involve authentication from mobile devices?
  • Is the software for this use case developed by your institution?
    • If yes, what language and IDE are used?
    • If no, it is the software operated by your institution, or is it SaaS?
  • Is the ability to revoke permissions important?
  • Is user consent important?
  • Is the RP run by same organization as the OP? 
  • Is there a business process for registering partner RPs?
  • What information is needed by the RP?  Is non-identity information like location needed?


  • Is your campus using OAuth2 to protect APIs?
  • Are you using scopes to control access to those APIs?
    • If so, what scopes have you defined and how are they used? Example: a white pages API might define scopes of 'public', 'institution' and 'private', which would correspond with the access rights needed to see a attributes that were marked public, institution only, or private.
    • If so, how do you control which users or apps can authorize which scopes?
  • How long do you issue access tokens for? Does lifetime depend on scope?
  • How long are refresh tokens good for? Can you continually refresh for a new refresh token?
  • What is your process for registering new apps/Oauth2 clients?
  • Token revocations
    • Do you revoke any tokens when a user's account is deactivated?
    • How do resource servers/APIs know about revoked tokens? via token introspection? event notification?
  • What tool or SDK is your resource server/API using to validate tokens?
  • Do you support rotating the signing key used by the Authorization server?
  • No labels

1 Comment

  1. I think the ' the IDE and/or development framework' would be better served by asking about framework/library or a language and not asking about the IDE at all.  Any OIDC or OAuth2 features an app uses will be provided by a framework/library and not the IDE. For example, if we were asking about SAML tools options would be things like OpenSAML, SimpleSAMLPhp, Shibboleth and not the IDE themselves.