[Openid-specs-ab] Definition of required and optional claims? Handling?

John Bradley ve7jtb at ve7jtb.com
Thu Apr 12 21:27:58 UTC 2012 

The RP should only make a claim required if the user will not be allowed in without it.

Most social logins will use scopes where they are optional.

Having a way to indicate to the IdP that the user won't be allowed in without the claim allows the IdP to inform the user.

John
On 2012-04-12, at 9:22 PM, Vladimir Dzhuvinov / NimbusDS wrote:

> Hi guys,
> 
> Is there an actual need to have required claims? Can't all claims be
> treated as optional?
> 
> Here is my perspective:
> 
> If I were a client (relying party) and a particular claim I deem
> required is not available (or the user chooses to withhold it), it would
> be easier if I just didn't receive it, instead of having a
> "required_claim_unavailable" thrown at me.
> 
> My arguments for that:
> 
> * For multiple required claims, that makes it easier for the client to
> identify which particular claims are not available. Otherwise the IdP
> will have to detail this in the response error.
> 
> * Simpler API.
> 
> * Strictly speaking, claim requirement is a client issue, not an IdP
> issue.
> 
> 
> Vladimir
> 
> --
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
> 
> 
> 
> -------- Original Message --------
> Subject: Re: [Openid-specs-ab] Definition of required and optional
> claims? Handling?
> From: Roland Hedberg <roland.hedberg at adm.umu.se>
> Date: Thu, April 12, 2012 7:40 am
> To: Mike Jones <Michael.Jones at microsoft.com>
> Cc: Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com>,
> "openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>
> 
> 
> 
> 11 apr 2012 kl. 22:14 skrev Mike Jones:
> 
>> If a required claim isn't available, that's an error. (It's not for optional claims.) But looking at the list of errors in 2.1.4 http://openid.net/specs/openid-connect-messages-1_0-09.html#anchor8 we haven't defined an error for that case. I suspect we should define one like "required_claim_unavailable".
>> 
>> What are other's thoughts?
> 
> I'm positive to adding error types that actually mean something to the
> client (RP). 
> That is, allows it to do something intelligent in response to it.
> 
> I know that others are concerned about leaking information that could be
> used by an attacker to improve the attack.
> I don't think adding this error type would do that though.
> 
> -- Roland
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list