[Openid-specs-ab] May 25, 2012 OpenID Connect Update Release

Mike Jones Michael.Jones at microsoft.com
Tue Jun 5 17:09:17 UTC 2012

We discussed having separate scopes like email_id at the in-person working group meeting at Yahoo! and explicitly rejected that approach.  We're not trying to provide fine-grained control with scopes.  (If you need that, use a request object.)  We are providing a binary switch saying that the scope-requested claims are to be returned in a different place.  As such, at least as I see it, the logical place to make that declaration is also as a scope value.

Per Brian's comment about special treatment for scope values - that was already true without claims_in_id_token.  The "openid" scope alters/augments the semantics of the rest of the entire OAuth exchange (including enabling the id_token).  Compared to that, the special handling for the claims_in_id_token scope value is much less pervasive in impact.

For what it's worth, I'm strongly against defining a new parameter when the consensus decision at the in-person working group was to use a scope value.  We specifically discussed that approach and agreed upon it.  I believe that if we're going even consider changing that, we should likewise do so at another in-person working group meeting.  The reason I say that is that the decisions made in March at Yahoo! were *much* more widely reviewed and discussed than most working group decisions, and so should be accorded special respect.  (That's the reason we decide consequential things at in-person WG meetings, after all.)

                                                            -- Mike

From: John Bradley [mailto:ve7jtb at ve7jtb.com]
Sent: Tuesday, June 05, 2012 9:53 AM
To: Brian Campbell
Cc: Mike Jones; openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] May 25, 2012 OpenID Connect Update Release

I don't know that anyone is deeply attached to having it as a scope.   The idea was to not require a request object.

Scopes implicitly specify the RS endpoint.   This is sort of modifying the endpoint for other scopes, and I understand that is a touch awkward.

Would something like having separate scopes like:

If you ask for email it comes back from user_info and if you ask for email_id it is in the id_token.

Or is there something else you are thinking such as adding an extra parameter?  We are trying not to diverge from OAuth as much as possible. (Yes I know id_token is a big divergence)

If people don't like the claims_in_id_token scope then lets get alternate proposals on the table quickly.

John B.

On 2012-06-05, at 12:25 PM, Brian Campbell wrote:

I'm trying to understand why a scope was used to indicate the desire for user info claims to be returned in the ID Token? It really seems like something that should be isolated to a flag on the request (a new parameter or something in the request object). It feels out of place as a scope and will require ASs to have special conditional treatment of that one scope value (which I'd like to avoid as I'd think most implementers would).

On Sat, May 26, 2012 at 12:13 AM, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>> wrote:

  *   Added scope value claims_in_id_token as a switch to indicate that the UserInfo claims should be returned in the ID Token, per issue #561
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120605/be0741ec/attachment-0001.html>

More information about the Openid-specs-ab mailing list