[Openid-specs-ab] Aggregated and Distributed Claims

Marcos Sanz sanz at denic.de
Tue Mar 5 12:43:35 UTC 2019

Hi Torsten,

> As far as I understand, you discussed distributed claims only and 
suggested to do discovery on the endpoint and/or use the claim 
> provider’s TLS cert to conduct the check.

originally, the certification software expected the (distributed) claims 
delivered by the claims provider to be signed with the same key of the 
original IdP. That was not doable, so that's why I suggested to discover 
the Claims Provider Userinfo Endpoint together with its JWKS URI and 
expect their own claims to be a JWS signed by the latter

AFAIK that's what the certification software does now and using the claim 
provider's TLS cert to conduct the check was just an idea, it didn't get 

> That does not work for aggregated claims. 

I don't fully understand this statement. The challenge remains, as before, 
to discover the location of the claims providers, and that's a task that 
the IdP has to solve, not the RP. If the IdP is capable to return pointers 
to the claims providers for the RPs to dig the claims from there 
(distributed case), the IdP can certainly also do that work themselves, 
put their own signature on it, and deliver it as a whole (aggregated 
> I think requiring an iss claim in the JWT is the obvious solution as the 
RP can perform signature validation as normal in OIDC. 
> BTW: I would suggest the same for distributed claims :-)

How would that exactly look in a distributed claims answer from the IdP 
UserInfo Endpoint?


More information about the Openid-specs-ab mailing list