[OpenID-Specs-eKYC-IDA] Issue #1175: verified_claims in an introspection response should represent input requirements for verified claims (openid/ekyc-ida)

Takahiko Kawasaki issues-reply at bitbucket.org
Tue Feb 25 05:25:07 UTC 2020


New issue 1175: verified_claims in an introspection response should represent input requirements for verified claims
https://bitbucket.org/openid/ekyc-ida/issues/1175/verified_claims-in-an-introspection

Takahiko Kawasaki:

A response from the introspection endpoint \([RFC 7662](https://tools.ietf.org/html/rfc7662)\) includes information about an access token itself. The response should not include information that may be obtained by using the access token. In that sense, the value of `verified_claims` in a response from the introspection endpoint should not be the end-user’s data. Instead, if included, **the value of** `verified_claims` **in an introspection response should represent input requirements for verified claims.** **Embedding the end-user’s data in an introspection response is equivalent to embedding the end-user’s data in a JWT access token,** which I don’t believe is a good practice.




More information about the Openid-specs-ekyc-ida mailing list