[Openid-specs-ab] Definition of required and optional claims? Handling?
Michael.Jones at microsoft.com
Sat Apr 21 17:50:31 UTC 2012
I've filed issue #577 "Messages 220.127.116.11.1.1 - Behavior when required claims unavailable underspecified" to track this issue. We should add this to the list of issues to resolve at the in-person working group meeting at Yahoo! on April 30th: http://apr30-oidf-wg.eventbrite.com/.
From: Henrik Biering [mailto:hb at peercraft.com]
Sent: Saturday, April 21, 2012 10:24 AM
To: Roland Hedberg
Cc: Mike Jones; openid-specs-ab at lists.openid.net; John Bradley
Subject: Re: [Openid-specs-ab] Definition of required and optional claims? Handling?
@Roland: I basically agree to your suggestions for case types 1) and 2). However, if the IdP's attribute release policies are aligned with the European Data Protection Directive or based on a contract with the user, the classification of some cases may be difficult and depend on subtleties in the users dialogue with the IdP.
@Mike + John: If type 2) cases result in broken authentication as I assumed from yours posts, it will just cement the current non-trusted formfilling practice, where RP's request everything and users provide mumbo jumbo, because they know that the information is neither needed, nor checked. I think it is important not to obstruct a fluid transition from this scenario to proper mutually trusted identity management.
I do not object to error responses, if they
a) do not break the flow or make it more complicated for users that prefer to not provide information rather than to provide dummy information
b) add value to the process and the RP's subsequent considerations
Alternatively IdP's will have no real choice in type 2) cases but to return default "not applicable" attributes that most RP's will unknowingly consume simularly to any other dummy information.
On 20-04-2012 08:36, Roland Hedberg wrote:
> 13 apr 2012 kl. 01:55 skrev Henrik Biering:
>> I strongly disagree in treating a missing required claim as an error!
> So a required claim can be missing for basically two reasons:
> 1) The IdP can't release the information, because it doesn't have it
> or because it can't due to IdP attribute release policies
> 2) The user decides not to divulge the information
> Regarding 2, the user should be made aware by the GUI on the IdP side
> what will happen if the information is not release. If he/she still persists in refusing to allow the claim to be sent.
> The user will know that the authorization will fail.
> The question is how the RP learns about what happened.
> Because the RP should handle these two cases differently.
> 1) definitely should result in an error code
> For (2) if the OP returns a success code but with no or a curtailed set of claims that will then mean that the RP must be able to figure out what will happen if it tries to go trough with the remaining steps of the process.
> Is that to much to ask ?
> -- Roland
> Roland Hedberg
> IT Architect/Senior Researcher
> ICT Services and System Development (ITS) Umeå University
> SE-901 87 Umeå, Sweden
> Phone +46 90 786 68 44
> Mobile +46 70 696 68 44
More information about the Openid-specs-ab