[Openid-specs-ab] [openid/connect] Standard 4.1 - Add claim filter to user info request (issue #832)
issues-reply at bitbucket.org
Thu Apr 25 18:18:35 UTC 2013
New issue 832: Standard 4.1 - Add claim filter to user info request
Why is there no way to specify the claims a client wants to obtain in the user info request?
It seems the claim set returned by the user info response is controlled by the scope/claim parameter of the openid authorization request. This means a client must acquire a new access token in order to effectively change the response of the user info endpoint. Seems a bit strange to me.
Moreover, it also requires the client to specify all claims it wants to query when obtaining the access token. For our internal applications, this would mean to send up to 40 claim names in an authorization although access is not authorized by the user but a system policy on a per client base. This unnecessary increases the request size (URL length).
I think a parameter to list the claims a client wants to obtain would be very useful and a reasonable extension to the current design.
More information about the Openid-specs-ab