[OpenID-Specs-eKYC-IDA] Issue #1242: Look ahead for provided claims in distributed/aggregated claims (openid/ekyc-ida)
tlodderstedt
issues-reply at bitbucket.org
Sat Apr 3 12:43:32 UTC 2021
New issue 1242: Look ahead for provided claims in distributed/aggregated claims
https://bitbucket.org/openid/ekyc-ida/issues/1242/look-ahead-for-provided-claims-in
Torsten Lodderstedt:
Litte Armitt Ross from GRIDS project \([https://grids-cef.eu/](https://grids-cef.eu/)\) approached Daniel and me with an inquiry regarding aggregated/distributed claims. The aim is to put more information in the ID Token/UseInfo response to allow the RP to determine what verified End-User claims are available in what aggregated/distributed claims source.
So far, we only make transparent that “verified\_claims” is available. Here is an example:
```
{
"iss": "https://server.example.com",
"sub": "248289761001",
"email": "janedoe at example.com",
"email_verified": true,
"_claim_names": {
"verified_claims": [
"src1",
"src2"
]
},
"_claim_sources": {
"src1": {
"JWT": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwcz
ovL3NlcnZlci5vdGhlcm9wLmNvbSIsInN1YiI6ImU4MTQ4NjAzLTg5MzQtNDI0N
S04MjViLWMxMDhiOGI2Yjk0NSIsInZlcmlmaWVkX2NsYWltcyI6eyJ2ZXJpZmlj
YXRpb24iOnsidHJ1c3RfZnJhbWV3b3JrIjoiaWFsX2V4YW1wbGVfZ29sZCJ9LCJ
jbGFpbXMiOnsiZ2l2ZW5fbmFtZSI6Ik1heCIsImZhbWlseV9uYW1lIjoiTWVpZX
IiLCJiaXJ0aGRhdGUiOiIxOTU2LTAxLTI4In19fQ.FArlPUtUVn95HCExePlWJQ
6ctVfVpQyeSbe3xkH9MH1QJjnk5GVbBW0qe1b7R3lE-8iVv__0mhRTUI5lcFhLj
oGjDS8zgWSarVsEEjwBK7WD3r9cEw6ZAhfEkhHL9eqAaED2rhhDbHD5dZWXkJCu
XIcn65g6rryiBanxlXK0ZmcK4fD9HV9MFduk0LRG_p4yocMaFvVkqawat5NV9QQ
3ij7UBr3G7A4FojcKEkoJKScdGoozir8m5XD83Sn45_79nCcgWSnCX2QTukL8Ny
wIItu_K48cjHiAGXXSzydDm_ccGCe0sY-Ai2-iFFuQo2PtfuK2SqPPmAZJxEFrF
oLY4g"
},
"src2": {
"endpoint": "https://server.yetanotherop.com/claim_source",
"access_token": "ksj3n283dkeafb76cdef"
}
}
}
```
The RP now needs to query the distributed claims source in order to determine what is available there. That might cause additional cost without providing the required claims, so the question is whether some more details can be provided to support the RP’s decision.
Ross proposed an extension to the “\_claim\_names” structure like this:
```
{
"iss": "https://self-issued.me",
"sub": "248289761001",
"preferred_username": "superman445",
"_claim_names": {
"verified_claims": {
"given_name": [
"src1",
"src2"
],
"family": [
"src1",
"src2"
],
"legal_name": "src1",
"legal_person_identifier": "src1",
"lei": "src1"
}
},
…
}
```
Responsible: Torsten Lodderstedt
More information about the Openid-specs-ekyc-ida
mailing list