[Openid-specs-ab] Stackoverflow question.

Filip Skokan panva.ip at gmail.com
Tue Jun 19 19:56:51 UTC 2018


I agree the specification is clear. But it's very easy to miss this and I
believe it to be the general expectation from developers that requesting
claims using the scopes parameter makes these available in the id_token
regardless of the response_type used. A note in each ID Token section would
make this more clear.

Also, *Section 5.4 Requesting Claims using Scope Values* (
http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
enumerates the spec-defined (recommended) scopes `profile, email, address,
and phone` but does not mention what is the expected behaviour for other
claims related to OP-specific (custom) scopes.
e.g. an OP has a custom scope `birthdate` with which it returns `birthdate`
and `http://op.example.com/birthdate_verified` claims. When requesting
these claims using the scope parameter, does the same apply and these are
only present in the ID Token when response_type=id_token?

Best,
*Filip*


On Tue, Jun 19, 2018 at 6:51 PM Thomas Broyer via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

>
>
> On Tue, Jun 19, 2018 at 2:54 PM Nat Sakimura via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> I received the following message at the OIDF Facebook page.
>> Perhaps could someone take care of it?
>>
>>
>>
>> Can you please take a look at
>> https://stackoverflow.com/questions/50740532/should-id-token-contain-claims-when-used-during-authorization-code-flow
>> and give your response there?
>>
>> Multiple authorization providers implementing oidc have this implemented
>> differently - sometimes id_token contains claims when access_token is
>> returned, sometimes not and call to userInfo is required, sometimes it is
>> in both userInfo and id_token which is quite confusing why this is in
>> multiple places, what is the reasoning behind it. In my opinion this should
>> be clarified in the documentation, how it should be implemented according
>> to openid standard.
>>
>
> Fwiw, I don't think it needs clarification:
> https://stackoverflow.com/a/50930696/116472
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180619/63c63a2f/attachment.html>


More information about the Openid-specs-ab mailing list