[Openid-specs-ab] Definition of required and optional claims? Handling?
Roland Hedberg
roland.hedberg at adm.umu.se
Thu Apr 12 06:40:18 UTC 2012
11 apr 2012 kl. 22:14 skrev Mike Jones:
> If a required claim isn't available, that's an error. (It's not for optional claims.) But looking at the list of errors in 2.1.4 http://openid.net/specs/openid-connect-messages-1_0-09.html#anchor8 we haven't defined an error for that case. I suspect we should define one like "required_claim_unavailable".
>
> What are other's thoughts?
I'm positive to adding error types that actually mean something to the client (RP).
That is, allows it to do something intelligent in response to it.
I know that others are concerned about leaking information that could be used by an attacker to improve the attack.
I don't think adding this error type would do that though.
-- Roland
More information about the Openid-specs-ab
mailing list