[Openid-specs-ab] Definition of required and optional claims? Handling?

Henrik Biering hb at peercraft.com
Sat Apr 21 17:23:50 UTC 2012

@Roland: I basically agree to your suggestions for case types 1) and 
2).  However, if the IdP's attribute release policies are aligned with 
the European Data Protection Directive or based on a contract with the  
user, the classification of some cases may be difficult and depend on 
subtleties in the users dialogue with the IdP.

@Mike + John: If type 2) cases result in broken authentication as I 
assumed from yours posts, it will just cement the current non-trusted 
formfilling practice, where RP's request everything and users provide 
mumbo jumbo, because they know that the information is neither needed, 
nor checked. I think it is important not to obstruct a fluid transition 
from this scenario to proper mutually trusted identity management.

I do not object to error responses, if they
a) do not break the flow or make it more complicated for users that 
prefer to not provide information rather than to provide dummy information
b) add value to the process and the RP's subsequent considerations

Alternatively IdP's will have no real choice in type 2) cases but to 
return default "not applicable" attributes that most RP's will 
unknowingly consume simularly to any other dummy information.


On 20-04-2012 08:36, Roland Hedberg wrote:
> 13 apr 2012 kl. 01:55 skrev Henrik Biering:
>> I strongly disagree in treating a missing required claim as an error!
> So a required claim can be missing for basically two reasons:
> 1) The IdP can't release the information, because it doesn't have it or because it can't due to IdP attribute release policies
> 2) The user decides not to divulge the information
> Regarding 2, the user should be made aware by the GUI on the IdP side what will happen
> if the information is not release. If he/she still persists in refusing to allow the claim to be sent.
> The user will know that the authorization will fail.
> The question is how the RP learns about what happened.
> Because the RP should handle these two cases differently.
> 1) definitely should result in an error code
> For (2) if the OP returns a success code but with no or a curtailed set of claims that will then mean that the RP must be able to figure out what will happen if it tries to go trough with the remaining steps of the process.
> Is that to much to ask ?
> -- Roland
> ------------------------------------------------------
> Roland Hedberg
> IT Architect/Senior Researcher
> ICT Services and System Development (ITS)
> Umeå University
> SE-901 87 Umeå, Sweden	
> Phone +46 90 786 68 44
> Mobile +46 70 696 68 44
> www.its.umu.se

More information about the Openid-specs-ab mailing list