[Openid-specs-ab] Stackoverflow question.

Dominick Baier dbaier at leastprivilege.com
Wed Jun 20 04:52:13 UTC 2018


FWIW - we actually also found that “side note” pretty late while
implementing IdentityServer - it fundamentally changed our design. And yes
- we get a lot of question about the fact that suddenly claims are
“missing” once they switch e.g. from id_token to code id_token.

Cheers
-------
Dominick Baier

On 19. June 2018 at 21:57:15, Filip Skokan via Openid-specs-ab (
openid-specs-ab at lists.openid.net) wrote:

I agree the specification is clear. But it's very easy to miss this and I
believe it to be the general expectation from developers that requesting
claims using the scopes parameter makes these available in the id_token
regardless of the response_type used. A note in each ID Token section would
make this more clear.

Also, *Section 5.4 Requesting Claims using Scope Values* (
http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
enumerates the spec-defined (recommended) scopes `profile, email, address,
and phone` but does not mention what is the expected behaviour for other
claims related to OP-specific (custom) scopes.
e.g. an OP has a custom scope `birthdate` with which it returns `birthdate`
and `http://op.example.com/birthdate_verified` claims. When requesting
these claims using the scope parameter, does the same apply and these are
only present in the ID Token when response_type=id_token?

Best,
*Filip*


On Tue, Jun 19, 2018 at 6:51 PM Thomas Broyer via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

>
>
> On Tue, Jun 19, 2018 at 2:54 PM Nat Sakimura via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> I received the following message at the OIDF Facebook page.
>> Perhaps could someone take care of it?
>>
>>
>>
>> Can you please take a look at
>> https://stackoverflow.com/questions/50740532/should-id-token-contain-claims-when-used-during-authorization-code-flow
>> and give your response there?
>>
>> Multiple authorization providers implementing oidc have this implemented
>> differently - sometimes id_token contains claims when access_token is
>> returned, sometimes not and call to userInfo is required, sometimes it is
>> in both userInfo and id_token which is quite confusing why this is in
>> multiple places, what is the reasoning behind it. In my opinion this should
>> be clarified in the documentation, how it should be implemented according
>> to openid standard.
>>
>
> Fwiw, I don't think it needs clarification:
> https://stackoverflow.com/a/50930696/116472
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180619/0997ecbd/attachment-0001.html>


More information about the Openid-specs-ab mailing list