[Openid-specs-ab] Issue #1116: Returning end user claims in id token (openid/connect)

jolivasf issues-reply at bitbucket.org
Wed Oct 9 08:21:51 UTC 2019

New issue 1116: Returning end user claims in id token

Jorge Oliva:

Hi, while reading the docs from one of the certified products for OpenID \([https://www.npmjs.com/package/openid-client\)](https://www.npmjs.com/package/openid-client)) I have seen that:

"[Core 1.0 - Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) defines that claims requested using the scope parameter are only returned from the UserInfo Endpoint unless the response\_type is id\_token"

The exactly part in the specification say:

"The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when a response\_type value is used that results in an Access Token being issued. However, when no Access Token is issued \(which is the case for the response\_type value id\_token\), the resulting Claims are returned in the ID Token."

I'm not sure if that statement means "No put end user claims in id token unless response\_type is id\_token"... 

So my question is, if i use just “code“ as response type in a request like this:


GET /authorize?
&scope=openid email

Host: op.example.com

Then the id token returned in the **/token** endpoint \(when interchange the code\) should have the End-User claims inside \(i mean email and email\_verified\)? or should not contain this claims by specification?


More information about the Openid-specs-ab mailing list