[Openid-specs-ab] Definition of required and optional claims? Handling?

[Vladimir Dzhuvinov / NimbusDS]

Hi guys,

Is there an actual need to have required claims? Can't all claims be
treated as optional?

Here is my perspective:

If I were a client (relying party) and a particular claim I deem
required is not available (or the user chooses to withhold it), it would
be easier if I just didn't receive it, instead of having a
"required_claim_unavailable" thrown at me.

My arguments for that:

* For multiple required claims, that makes it easier for the client to
identify which particular claims are not available. Otherwise the IdP
will have to detail this in the response error.

* Simpler API.

* Strictly speaking, claim requirement is a client issue, not an IdP
issue.


Vladimir

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com



-------- Original Message --------
Subject: Re: [Openid-specs-ab] Definition of required and optional
claims? Handling?
From: Roland Hedberg <roland.hedberg at adm.umu.se>
Date: Thu, April 12, 2012 7:40 am
To: Mike Jones <Michael.Jones at microsoft.com>
Cc: Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com>,
"openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>



11 apr 2012 kl. 22:14 skrev Mike Jones:

> If a required claim isn't available, that's an error. (It's not for optional claims.) But looking at the list of errors in 2.1.4 http://openid.net/specs/openid-connect-messages-1_0-09.html#anchor8 we haven't defined an error for that case. I suspect we should define one like "required_claim_unavailable".
> 
> What are other's thoughts?

I'm positive to adding error types that actually mean something to the
client (RP). 
That is, allows it to do something intelligent in response to it.

I know that others are concerned about leaking information that could be
used by an attacker to improve the attack.
I don't think adding this error type would do that though.

-- Roland