[Openid-specs-ab] Discussion on the UserInfo endpoint and Claims

[Breno de Medeiros]

Openid-specs-ab on BCC: as it's a closed discussion group.

Background: There's a discussion on being able to assert claims about
the user. For instance, a claim by the US Postmaster General about the
user's address. Or a claim by the Japanese Government about the user's
country of citizenship. Some of these claims cannot be generated by
the server itself (which might be authoritative for, say, a claim
about the user's email address if the server is also the user's email
service provider). The current proposal by Nat/JBradley was that
UserInfo endpoint would have a fairly extensible schema able to
describe generic claims and additionally provide locations where
claims could be retrieved from (if the server is unable to generate
them), together with OAuth2 tokens that would be redeemable at those
locations.

I provided the feedback that the UserInfo endpoint would probably be
more valuable by focusing on supporting the basic use case of
authentication with (unverifiable) claims about user attributes
asserted by the server, and move the handling of claims to a Claims
Provider Discovery endpoint.  This endpoint could perform the
translation, i.e., in exchange from an access token return a list of
claim providers by claim type and the tokens that could be used for
each of them. In this case, claims provided by the server (i.e.,
claims for which the server is itself authoritative) would be handled
exactly as any other 3rd party claims.

We agreed to continue discussion here.