[Openid-specs-ab] user claims in id_token
Vladimir Dzhuvinov
vladimir at connect2id.com
Tue Sep 1 07:14:05 UTC 2015
Hi Mike,
Thanks for sharing this, we recently considered implementing something
similar.
What was the rationale for this particular layout instead of using a
straight scope_name -> [claim-1, claim-2, ...] mapping?
"scope_to_claims_mapping":
{
"email" : [ "mail" ],
"address" : [ "mail", "street", "l", "st", "postOfficeBox", "postalCode", "postalAddress"]
}
Cheers,
Vladimir
On 20.08.2015 20:09, Mike Schwartz wrote:
>>>> Is it valid to request "userinfo" related claims to be in the
>>>> id_token?
>
> One thing I've pointed out in the past is that a discovery requests
> return the claims supported, and the scopes supported, but not which
> claims are associated with which scopes.
>
> In the Gluu Server we naughtily added this one claim to discovery to
> help clients know which scope to request, because as Mike Jones
> pointed out, some OP's (like the Gluu Server) don't support individual
> requests for claims.
>
> Anyway... maybe if there's an OpenID Connect 2.0 at some point its
> worth considering. In enterprise use cases where there is custom user
> claims and scopes it might be more useful.
>
> "scope_to_claims_mapping": [
> {
> "scope": "email",
> "claims": ["mail"]
> },
> {
> "scope": "address",
> "claims": [
> "mail",
> "street",
> "l",
> "st",
> "postOfficeBox",
> "postalCode",
> "postalAddress"
> ]
> }
> ]
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
--
Vladimir Dzhuvinov :: vladimir at connect2id.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3711 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150901/13419ed0/attachment.p7s>
More information about the Openid-specs-ab
mailing list