[Openid-specs-ab] Add claim filter to user info request

Torsten Lodderstedt torsten at lodderstedt.net
Thu May 2 06:17:48 UTC 2013

Hi all,

please take a look at 
and give your feedback.

I think the way to control the claim set returned by the user info 
endpoint needs some clarification/improvement.


It seems the claim set returned by the user info response is controlled 
by the scope/claim parameter of the openid authorization request. This 
means a client must acquire a new access token in order to effectively 
change the response of the user info endpoint. Seems a bit strange to 

Moreover, it also requires the client to specify all claims it wants to 
query when obtaining the access token. For our internal applications, 
this would mean to send up to 40 claim names in an authorization 
although access is not authorized by the user but a system policy on a 
per client base. This unnecessary increases the request size (URL 

I think a parameter to list the claims a client wants to obtain would 
be very useful and a reasonable extension to the current design.

More information about the Openid-specs-ab mailing list