[Openid-specs-ab] Add claim filter to user info request

Anthony Nadalin tonynad at microsoft.com
Thu May 2 16:28:13 UTC 2013

I would hope people would SCIM endpoint and not the user information endpoint, more bang for the buck

-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
Sent: Wednesday, May 1, 2013 11:18 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Add claim filter to user info request

Hi all,

please take a look at
and give your feedback.

I think the way to control the claim set returned by the user info endpoint needs some clarification/improvement.


It seems the claim set returned by the user info response is controlled by the scope/claim parameter of the openid authorization request. This means a client must acquire a new access token in order to effectively change the response of the user info endpoint. Seems a bit strange to me.

Moreover, it also requires the client to specify all claims it wants to query when obtaining the access token. For our internal applications, this would mean to send up to 40 claim names in an authorization although access is not authorized by the user but a system policy on a per client base. This unnecessary increases the request size (URL length).

I think a parameter to list the claims a client wants to obtain would be very useful and a reasonable extension to the current design.
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net

More information about the Openid-specs-ab mailing list