[Openid-specs-ab] Resolving ID Token + UserInfo claim requests

Roland Hedberg roland.hedberg at adm.umu.se
Thu Oct 11 09:24:51 UTC 2012

Hi Vladimir,

11 okt 2012 kl. 10:25 skrev Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com>:

> For that. I want to ask, can we say that the following claims
> categorisation is correct:
> On the top level we have REQUIRED and OPTIONAL claims:
> * REQUIRED claims that the AS must include in all cases: For the IDToken
> these are the claims marked as required in Messages 2.1.1.; for UserInfo
> the "user_id" claim as per Messages 2.3.2.

Herein lies most of the messiness, a total of four special cases:
- Depending on the response_type value in the Authorization Request 'nonce' 
  is either REQUIRED or OPTIONAL. 
- at_hash is REQUIRED if the ID Token is issued together with an access_token.
- c_hash is REQUIRED if the ID Token is issued together with a code.
- auth_time is REQUIRED if claimed in the OpenID Request Object otherwise

In fact I think it's wrong to mark at_hash and c_hash as OPTIONAL because they 
are either REQUIRED or not expected to occur.

> * OPTIONAL claims which the AS may or may not provide; of these
> depending on the client request we have as per Messages
>    * ESSENTIAL: claims marked as crucial for the client operation.
>    * VOLUNTARY: claims marked as nice-to-have for the client operation.

I guess the possibly OPTIONAL ones from 2.1.1 are of the 
VOLUNTARY type, though that is not stated anywhere.
-- Roland
Roland Hedberg
IT Architect/Senior Researcher
ICT Services and System Development (ITS) 
Umeå University 
SE-901 87 Umeå, Sweden	
Phone +46 90 786 68 44
Mobile +46 70 696 68 44 

More information about the Openid-specs-ab mailing list