[Openid-specs-ab] Stackoverflow question.

Filip Skokan panva.ip at gmail.com
Wed Jun 20 05:24:25 UTC 2018


node oidc-provider also didn't implement
<https://github.com/panva/node-oidc-provider/pull/298> this until now, when
that this came to my attention (~2.5 years into its release, ~3 into its
development). Luckily the existing design supports this rather easy.

Even the certification suite does not check/assert or at least issues a
note in the logs.

Best,
*Filip*


On Wed, Jun 20, 2018 at 6:52 AM Dominick Baier <dbaier at leastprivilege.com>
wrote:

> FWIW - we actually also found that “side note” pretty late while
> implementing IdentityServer - it fundamentally changed our design. And yes
> - we get a lot of question about the fact that suddenly claims are
> “missing” once they switch e.g. from id_token to code id_token.
>
> Cheers
> -------
> Dominick Baier
>
> On 19. June 2018 at 21:57:15, Filip Skokan via Openid-specs-ab (
> openid-specs-ab at lists.openid.net) wrote:
>
> I agree the specification is clear. But it's very easy to miss this and I
> believe it to be the general expectation from developers that requesting
> claims using the scopes parameter makes these available in the id_token
> regardless of the response_type used. A note in each ID Token section would
> make this more clear.
>
> Also, *Section 5.4 Requesting Claims using Scope Values* (
> http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)
> enumerates the spec-defined (recommended) scopes `profile, email, address,
> and phone` but does not mention what is the expected behaviour for other
> claims related to OP-specific (custom) scopes.
> e.g. an OP has a custom scope `birthdate` with which it returns
> `birthdate` and `http://op.example.com/birthdate_verified`
> <http://op.example.com/birthdate_verified> claims. When requesting these
> claims using the scope parameter, does the same apply and these are only
> present in the ID Token when response_type=id_token?
>
> Best,
> *Filip*
>
>
> On Tue, Jun 19, 2018 at 6:51 PM Thomas Broyer via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>>
>>
>> On Tue, Jun 19, 2018 at 2:54 PM Nat Sakimura via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> I received the following message at the OIDF Facebook page.
>>> Perhaps could someone take care of it?
>>>
>>>
>>>
>>> Can you please take a look at
>>> https://stackoverflow.com/questions/50740532/should-id-token-contain-claims-when-used-during-authorization-code-flow
>>> and give your response there?
>>>
>>> Multiple authorization providers implementing oidc have this implemented
>>> differently - sometimes id_token contains claims when access_token is
>>> returned, sometimes not and call to userInfo is required, sometimes it is
>>> in both userInfo and id_token which is quite confusing why this is in
>>> multiple places, what is the reasoning behind it. In my opinion this should
>>> be clarified in the documentation, how it should be implemented according
>>> to openid standard.
>>>
>>
>> Fwiw, I don't think it needs clarification:
>> https://stackoverflow.com/a/50930696/116472
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20180620/000f8d3d/attachment.html>


More information about the Openid-specs-ab mailing list