[Openid-specs-ab] Definition of required and optional claims? Handling?
Henrik Biering
hb at netamia.com
Thu Apr 12 23:55:11 UTC 2012
I strongly disagree in treating a missing required claim as an error!
The ability to distinguish between required and optional claims is
definitely useful for the IdP in order to clearly convey the clients
policy for a specific action to the user. However, if the user
disagrees with this policy - or have chosen to use another provider for
some claims - it is a pure policy dispute matter that can only be
resolved through a direct dialogue between the client and the user.
Policy dispute resolution should be outside the scope of the protocol.
One of the worst general implementation errors in OpenID 1 and 2 has
been throwing unintelligible technical error messages in the ordinary
users face. So instead of further hinting developers to treat policy
disputes as technical errors, it may be relevant to add informative
notes as to when developers should consult their business responsible
colleagues about relevant options and user dialogue.
=henrik
Den 11-04-2012 22:14, Mike Jones skrev:
> If a required claim isn't available, that's an error. (It's not for optional claims.) But looking at the list of errors in 2.1.4 http://openid.net/specs/openid-connect-messages-1_0-09.html#anchor8 we haven't defined an error for that case. I suspect we should define one like "required_claim_unavailable".
>
> What are other's thoughts?
>
> -- Mike
>
> -----Original Message-----
> From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Vladimir Dzhuvinov / NimbusDS
> Sent: Wednesday, April 11, 2012 2:36 AM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] Definition of required and optional claims? Handling?
>
> Several places in spec (mostly on the OpenID request object) mention "required claim" and "optional claim". I was kind of wondering what exactly these are until I read section 5.1.3 on handling "acr" claim requests.
>
> http://openid.net/specs/openid-connect-messages-1_0-09.html#req.obj.veri
>
> Would it make sense to define "required claim" and "optional claim" in a separate section? Also their handling, if it can be generalised?
>
> Right now I'm not sure about the difference between required and optional UserInfo claim requests. How is a required UserInfo claim request to be handled if the data isn't available on the server?
>
> Cheers,
>
> Vladimir
> --
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
More information about the Openid-specs-ab
mailing list