[Openid-specs-ab] Definition of required and optional claims? Handling?
Vladimir Dzhuvinov / NimbusDS
vladimir at nimbusds.com
Fri Apr 13 06:51:06 UTC 2012
Thanks John, this makes sense to me now. And if that is indeed the
intended purpose of marking claims "required", I would suggest to
explain it in the spec for other developers like I.
Vladimir
--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
-------- Original Message --------
Subject: Re: [Openid-specs-ab] Definition of required and optional
claims? Handling?
From: John Bradley <ve7jtb at ve7jtb.com>
Date: Thu, April 12, 2012 10:27 pm
To: Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com>
Cc: "Roland Hedberg" <roland.hedberg at adm.umu.se>, "Mike Jones"
<Michael.Jones at microsoft.com>, "openid-specs-ab at lists.openid.net"
<openid-specs-ab at lists.openid.net>
The RP should only make a claim required if the user will not be allowed
in without it.
Most social logins will use scopes where they are optional.
Having a way to indicate to the IdP that the user won't be allowed in
without the claim allows the IdP to inform the user.
John
On 2012-04-12, at 9:22 PM, Vladimir Dzhuvinov / NimbusDS wrote:
> Hi guys,
>
> Is there an actual need to have required claims? Can't all claims be
> treated as optional?
>
> Here is my perspective:
>
> If I were a client (relying party) and a particular claim I deem
> required is not available (or the user chooses to withhold it), it would
> be easier if I just didn't receive it, instead of having a
> "required_claim_unavailable" thrown at me.
>
> My arguments for that:
>
> * For multiple required claims, that makes it easier for the client to
> identify which particular claims are not available. Otherwise the IdP
> will have to detail this in the response error.
>
> * Simpler API.
>
> * Strictly speaking, claim requirement is a client issue, not an IdP
> issue.
>
>
> Vladimir
>
> --
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
>
>
>
> -------- Original Message --------
> Subject: Re: [Openid-specs-ab] Definition of required and optional
> claims? Handling?
> From: Roland Hedberg <roland.hedberg at adm.umu.se>
> Date: Thu, April 12, 2012 7:40 am
> To: Mike Jones <Michael.Jones at microsoft.com>
> Cc: Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com>,
> "openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>
>
>
>
> 11 apr 2012 kl. 22:14 skrev Mike Jones:
>
>> If a required claim isn't available, that's an error. (It's not for optional claims.) But looking at the list of errors in 2.1.4 http://openid.net/specs/openid-connect-messages-1_0-09.html#anchor8 we haven't defined an error for that case. I suspect we should define one like "required_claim_unavailable".
>>
>> What are other's thoughts?
>
> I'm positive to adding error types that actually mean something to the
> client (RP).
> That is, allows it to do something intelligent in response to it.
>
> I know that others are concerned about leaking information that could be
> used by an attacker to improve the attack.
> I don't think adding this error type would do that though.
>
> -- Roland
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list