[Openid-specs-ab] Essential claims with the scope value openid

Roland Hedberg roland at catalogix.se
Tue Aug 29 09:52:25 UTC 2017

> 29 aug. 2017 kl. 11:29 skrev Bhathiya Jayasekara <tobhathiyaj at gmail.com>:
> Hi Roland/John,
> On Tue, Aug 29, 2017 at 1:55 PM, Roland Hedberg <roland at catalogix.se> wrote:
> > On Aug 8, 2017 7:49 AM, "Hasini Witharana" <hasinidilanka at gmail.com> wrote:
> > Hi,
> >
> > Currently I am working with OpenID Connect Certification basic profile. In the OP, I have configured some claims to be gained when the scope is openid. When I send a authorization request with  an essential claim I will get all claims for openid and the essential claim. In the specifications there is no, rule as It should return only the essential claim. "OP-claims-essential" test is failing because unexpected claims are returned. Can you please clarify this issue?
> Must be my long vacation :-) but I’m not sure I understand what you’re saying here.
> This is my interpretation.
> 1) you have an OP that returns a set of claims when the scope is ’openid’.
> As John said that set should only be ’subject’ and ’issuer’.
> Does the spec explicitely say so (i.e. the 'only' part)? I couldn't find so anywhere. Would you mind pointing out where it is? 

OK, so I’m just back from a loooong vacation :-)
The ’only’ part was a bit overstated.

There are two places where you can get back claims, in the ID token or from the Userinfo endpoint.
Regarding the ID token there are a number of claims that are required among them ’iss’ and ’sub’.
For the Userinfo response the only claim that MUST be there is ’sub’.

To summarize; the standard specifies a number of claims that MUST be present in a compliant response but it says nothing 
about which other claims that may be returned. 

GDPR on the other hand does.

> Thanks and regards,
> Bhathiya
> 2) You run the ’OP-claims-essential’ test using the OpenID test tool.
> This will send an authorization request including one essential claim (’name’)
> So, you should expect to get back ’subject’, ’issuer’ and ’name’.
> Now, You say that the test fails due to ’unexpected claims’ being returned.
> This means your OP returns more claims then these three.
> I don’t know what the extra claims are but as John and Nat has pointed out your OP MUST not return
> claims that are not asked for.
> If my interpretation is right the test tool does exactly what it should.
> -- Roland
> "Education is the path from cocky ignorance to miserable uncertainty.” - Mark Twain
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

-- Roland
"Education is the path from cocky ignorance to miserable uncertainty.” - Mark Twain

More information about the Openid-specs-ab mailing list