[Openid-specs-ab] Issue #1116: Returning end user claims in id token (openid/connect)

jolivasf issues-reply at bitbucket.org
Wed Oct 9 08:21:51 UTC 2019


New issue 1116: Returning end user claims in id token
https://bitbucket.org/openid/connect/issues/1116/returning-end-user-claims-in-id-token

Jorge Oliva:

Hi, while reading the docs from one of the certified products for OpenID \([https://www.npmjs.com/package/openid-client\)](https://www.npmjs.com/package/openid-client)) I have seen that:

"[Core 1.0 - Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) defines that claims requested using the scope parameter are only returned from the UserInfo Endpoint unless the response\_type is id\_token"

The exactly part in the specification say:

"The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when a response\_type value is used that results in an Access Token being issued. However, when no Access Token is issued \(which is the case for the response\_type value id\_token\), the resulting Claims are returned in the ID Token."

I'm not sure if that statement means "No put end user claims in id token unless response\_type is id\_token"... 

So my question is, if i use just “code“ as response type in a request like this:

‌

```
GET /authorize?
response_type=code
&scope=openid email
&client_id=3dfd89e1-964b-4ac4-ba46-977fc5f87db9
&request_uri=http://rp.example.com/request_obj/YTUHYJ6YHGT

Host: op.example.com
```

Then the id token returned in the **/token** endpoint \(when interchange the code\) should have the End-User claims inside \(i mean email and email\_verified\)? or should not contain this claims by specification?

Thanks!




More information about the Openid-specs-ab mailing list