[Openid-specs-ab] Pointing out that the UserInfo claims can be extended

Mike Jones Michael.Jones at microsoft.com
Tue Mar 26 20:42:20 UTC 2013


-----Original Message-----
From: nat [mailto:nat at sakimura.org] 
Sent: Monday, March 25, 2013 10:17 PM
To: Mike Jones
Cc: openid-specs-ab at lists.openid.net
Subject: Re: Pointing out that the UserInfo claims can be extended

 Yes, but it is very obscure.

 I had inquiry from multiple sources in multiple countries about how to  extend the userinfo claims.
 This is the sign that we should clarify the text.

 Perhaps adding something like this would help (in Messages)

 2.5.4. Extended Claims

 While this specification defines only small set of claims as standard  claims,  other claims MAY be used in conjunction with the standard claims.

 When using such claims, it is RECOMMENDED to use a collision resistant  names  for claim names. If the claim is believed to have general  applicability,  then it is RECOMMENDED to be added to the IANA JSON Web Token claims  registry.


 On Tue, 26 Mar 2013 00:46:26 +0000, Mike Jones wrote:
> Hi Nat,
> On one of the calls you'd asked me to point out in the specs that the 
> set of claims that can be returned from the UserInfo endpoint can be 
> extended.  I looked into doing that, and discovered that Messages, 
> Basic, and Implicit already have this text about the UserInfo
> Response:
>                 The Claims defined in <xref target="StandardClaims"/> 
> can be returned, as can additional Claims not specified there.
> So we're already saying that the claims can be extended.
> If that's not what you had in mind, could you provide alternative 
> language that you were thinking of instead?
> Thanks,
>                                                                 -- 
> Mike

More information about the Openid-specs-ab mailing list