[OpenID-Specs-eKYC-IDA] Issue #1185: Just requesting minimum set of claims for each Userinfo EP requests (Data minimization) (openid/ekyc-ida)

Nat issues-reply at bitbucket.org
Wed Mar 11 16:53:05 UTC 2020


New issue 1185: Just requesting minimum set of claims for each Userinfo EP requests (Data minimization)
https://bitbucket.org/openid/ekyc-ida/issues/1185/just-requesting-minimum-set-of-claims-for

Nat Sakimura:

Suppose a client obtained a grant to get a set of claims, e.g., Name, DoB, Address, email. 

Suppose further that all of these claims were required to set up an account at the client but for day to day processes, it only needs email to send the content link to which the user has subscribed to at the client. The email address that the user uses can change at any time so the client wants to pull the email address each time before it is sending the content link to make sure that it gets delivered. \(Name, DoB, Address etc. are only used for the account set up and reset.\) 

In this case, the client may only want to pull email using the access token that it got at the time the grant was given. AFAIK, there is no standardized syntax to do so against Userinfo EP. It would be useful if the client can set a request parameter stating “I only want email address.” 

Similar use-case can be thought about in the life-insurance area. To make sure that life-insurance is properly paid out, many insurance companies only want to know if the person is alive or not. A binary claim response “is\_alive”:true || false is sufficient. Once “is\_alive”:false comes back, then it can pull other claims to process the pay-out. 

Another use-case is for Self-issued provider. Self-issued OpenID Provider  \(SIOP\) is providing aggregated claims, meaning that it acts as an OAuth client to the claims provider \(CP\). When the user who is using the SIOP wants to access an age-restricted content \(e.g. is\_over\_18\), the SIOP may only want to pull the claim from the CP, while when the user is accessing area-restricted content, it may just want to pull the postal\_code from the CP. But in this kind of scenario, you do not want to make another authorization request to CP. So, the SIOP may want to obtain a full grant at the outset and later may want to pull only the claims that it needs to provide at the time it is talking to the relying party. 

I guess we can re-use the same request structure but to the Resource Endpoint instead of the PAR endpoint.




More information about the Openid-specs-ekyc-ida mailing list