You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Demographic Questions

We want to collect basic demographic data about the survey respondents to help identify any differences in preferences and concerns.

What is the name of the institution you represent?

________________________________________

What type of institution do you represent?

  • I represent the main IT office in a higher education institution 
  • I am with an academic department in a higher education institution
  • I represent a research organization
  • I represent a software vendor
  • I represent myself

What region is your institution located?

  • the United States
  • Europe
  • Canada
  • Mexico
  • Asia
  • Africa
  • Central and South America
  • Other _________________________

How is your role in your institution (check all applicable roles)?

  • I am a CIO / Senior IT Manager
  • I manage 
  • I am an IT Architect
  • I am an identity management specialist
  • I am a system administrator
  • I am a software developer
  • I am a faculty member
  • I am a student
  • I am a non-technical staff
  • Other. Please specify ___________________

 

OIDC/OAuth Interests

Insert use cases here and ask respondents to rank level of interest for each use case. Need much better phrasing of each use case.

Please take a moment to read the following OIDC/OAuth use cases. Rank your level of interest for each:

Use Case 1: Issue OAuth tokens to an application. Use the token as an authentication/authorization mechanism when calling an API. 

  • I must have this capability
  • I am very interested
  • I am mildly interested
  • I am not interested

Use Case 2: Issue OAuth tokens to a human user. The token is used by an application as proof of authorization when calling an API. 

  • I must have this capability
  • I am very interested
  • I am mildly interested
  • I am not interested

Use Case 3: Federation support in OIDC

  • I must have this capability
  • I am very interested
  • I am mildly interested
  • I am not interested

Use Case n: ....

Are there other OIDC/OAuth use cases you'd like to add? Please describe them below:

_____________________________________________________________________

IT Decision Maker Focused Questions

What is your institution's involvement with OpenID Connect / OAuth 2?

  • We use OpenID Connect/OAuth extensively now
  • We plan to adopt OpenID Connect in the next 1 to 6 months
  • We plan to adopt OpenID Connect in the next 6 to 18 months
  • We are monitoring, but have no concrete deployment plans
  • We are not interested in OIDC

Should OpenID Connect/OAuth 2 be built into future Shibboleth or other Internet2 TIER offering?

  • Yes. I am willing to contribute funding and/or resources to make it happen
  • Yes.
  • No.

 

Developer Focused Questions 

  • Is your campus using OAuth2 to protect APIs?
  • Are you using scopes to control access to those APIs?
    • If so, what scopes have you defined and how are they used? Example: a white pages API might define scopes of 'public', 'institution' and 'private', which would correspond with the access rights needed to see a attributes that were marked public, institution only, or private.
    • If so, how do you control which users or apps can authorize which scopes?
  • How long do you issue access tokens for? Does lifetime depend on scope?
  • How long are refresh tokens good for? Can you continually refresh for a new refresh token?
  • What is your process for registering new apps/Oauth2 clients?
  • Token revocations
    • Do you revoke any tokens when a user's account is deactivated?
    • How do resource servers/APIs know about revoked tokens? via token introspection? event notification?
  • What tool or SDK is your resource server/API using to validate tokens?
  • Do you support rotating the signing key used by the Authorization server?


Additional Questions to be sorted 

 

  • Who are the actors for this use case?  Are they affiliated with multiple institutions within the federation?
  • Does the use case involve authentication from mobile devices?
  • Is the software for this use case developed by your institution?
    • If yes, what language and IDE are used?
    • If no, it is the software operated by your institution, or is it SaaS?
  • Is the ability to revoke permissions important?
  • Is user consent important?
  • Is the RP run by same organization as the OP? 
  • Is there a business process for registering partner RPs?
  • What information is needed by the RP?  Is non-identity information like location needed?
  • No labels