[Openid-specs-ab] Issue #1234: 5.3 (ed) The title is confusing and the last two belongs to a later section. (openid/connect)

Nat issues-reply at bitbucket.org
Wed May 12 20:29:18 UTC 2021


New issue 1234: 5.3 (ed) The title is confusing and the last two belongs to a later section.
https://bitbucket.org/openid/connect/issues/1234/53-ed-the-title-is-confusing-and-the-last

Nat Sakimura:

## Rationale

5\.3 is a setup phase for the OP to obtain an access token \(and refresh token\) to obtain the current user's claims from CP. By doing so, the user can avoid making new grant dialogue at every RP request. Just marking it as “Authentication Request” does not help readers to understand what is going on here. 

Accordingly, the content need to be updated as well. 

## Proposal 

Change the title from “**5.3 Authentication Request**” to “**5.3 OP User Setup Phase at the CP**”

Additionally, replace the content as follow. 

> **5.3.1 The OP making an Authorization Request to the CP to obtain Access Token and Refresh Token**  
>   
> In this phase, the OP obtains an access token \(and optionally refresh token\) that is bound to the current user so that the OP can obtain the claims about the current user from the CP subsequently without taking the user to the CP and show them the consent dialogue for every RP requests.  
>   
> Authentication requests to the CP by the OP  are made using the OpenID Connect Authorization Code Flow with PKCE \[@RFC7636\] or FAPI 1.0 Advanced Security Profile. 
>
> Requests for specific claims MUST be made using scope values, claims values, or and/or Request Objects in the Authentication Request.   
>   
> The CP MUST show the dialogue to the user to obtain their grant.  
>   
> After obtaining the grant, the CP returns `code` that is used by the OP to access the token endpoint to obtain Access Token and Refresh Token if possible. These tokens are used in the RP Request Phase.   
>   
> **5.3.2 OP specifically asking claims to be returned from the Claims Endpoint of the CP**  
>   
> defines the following top-level member to the Claims request JSON object:
>
> **c\_token** Optional. Requests that the listed individual Claims be returned from the Claims Endpoint. If present, the listed Claims are being requested to be added to any Claims that are being requested using scope values. If not present, the Claims being requested from the Claims Endpoint are only those requested using scope values. This top-level member is a JSON object with the names of the individual Claims being requested as the member names and the values are defined as in 5.5.1 of OpenID Connect 1.0 OIDC.
>
> OpenID Claims Aggregation supports the requesting of additional claims and verified claims defined in OpenID Connect for Identity Assurance 1.0 OpenID.IDA for the c\_token member of the Claims request JSON object.
>
> When the c\_token member is used, the request MUST also use a response\_type value that results in an Access Token being issued to the Client for use at the claims endpoint.


More information about the Openid-specs-ab mailing list