[OpenID] claims vs scopes vs extra

John Bradley ve7jtb at ve7jtb.com
Tue May 3 22:32:51 UTC 2016 

There is a specific interop Google Group/list https://groups.google.com/forum/#!forum/openid-connect-interop

That is the best place to discuss bugs in the tests.  

Those claims make the most sense if the response is signed.   However they should not cause a fail if unsigned.

I suspect that you are the only person returning those so it is probably a bug in the test.   Contact the list and we will try and get it sorted out.

Regards
John B.

> On May 3, 2016, at 6:20 PM, Paul Hethmon <paul.hethmon at clareitysecurity.com> wrote:
> 
> In doing some of my final testing prior to certification I’ve come across one behavior of the certification tool that puzzles me. Specifically in regards to the response content to the UserInfo endpoint. It’s very clear from the specification that if I request a particular scope, what standard claims should be returned. Likewise, if a specific claim is requested then that claim is to be returned. Any extra claims about the user also would not be returned.
> 
> However, just in my coding, I had my UserInfo endpoint always include a few claims that are more “metadata”:
> 
> 	aud
> 	iat
> 	exp
> 	iss
> 
> For the certification tool, it’s happy with the Scope tests returning these claims. But its not happy when they are returned via the “essential claim” test. So to me that appears inconsistent in behavior. After figuring this out, I went reading through the core document and couldn’t find an answer either way. There is a reference in 5.3.2 that the response SHOULD contain iss and aud if it is signed or encrypted. I’m not actually doing either (yet).
> 
> I can’t find a reason (or remember one) for including iat and exp in the UserInfo response. I’m thinking I must have done it from a cut/paste code perspective.
> 
> So, some specific questions:
> 
> 1. Should iat or exp every be included in a UserInfo response? I am thinking they don’t make sense.
> 2. Should the certification tool care or not care about extra claims?
> 
> thanks,
> 
> Paul
> 
> -----
> Paul Hethmon
> Chief Software Architect
> paul.hethmon at clareitysecurity.com
> 
> 
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list