[Openid-specs-ab] Issue #1233: 5.3.2 (te) `uid` and `cp_sub` should not be here but to the requast to the claims endpoint (possibly) (openid/connect)

Nat issues-reply at bitbucket.org
Wed May 12 19:33:01 UTC 2021

New issue 1233: 5.3.2 (te) `uid` and `cp_sub` should not be here but to the requast to the claims endpoint (possibly)

Nat Sakimura:

`uid` and `cp_sub` is not supposed to be in this section. The OP has no way of specifying it at this point which is in the setup process. It can only do so in the request to the claims endpoint. 

Thus, remove the following: 

 and defines the following new Claims in addition to the Claims defined in the OpenID Connect specification OpenID Connect 1.0 [OIDC](https://openid.net/specs/openid-connect-core-1_0.html):

* **uid** _string_ The value is the base64url encoded representation of the thumbprint of the Client's public key for signing. This thumbprint value is computed as the SHA-256 hash of the octets of the UTF-8 representation of a JWK constructed containing only the REQUIRED members to represent the key, with the member names sorted into lexicographic order, and with no white space or line breaks. For instance, when the kty value is RSA, the member names e, kty, and n are the ones present in the constructed JWK used in the thumbprint computation and appear in that order; when the kty value is EC, the member names crv, kty, x, and y are present in that order. Note that this thumbprint calculation is the same as that defined in the JWK Thumbprint [\[JWK.Thumbprint\]](https://openid.net/specs/openid-connect-core-1_0.html#JWK.Thumbprint) specification.
* **cp\_sub** _string_ The Claim Providers _sub_ identifier for the authenticated user


Responsible: Edmund Jay

More information about the Openid-specs-ab mailing list