[Openid-specs-ab] How to use OIDC claims as an identity oracle

Axel.Nennker at telekom.de Axel.Nennker at telekom.de
Tue Nov 8 13:25:44 UTC 2016 

I think that computations on claim values are not possible with the current spec.
You can only ask for proprietary claims and RP and OP would need to agree on this OOB.

Changing the example from http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
{
   "userinfo":
    {
     "given_name": {"essential": true},
     "nickname": null,
     "email": {"essential": true},
     "email_verified": {"essential": true},
     "picture": null,
     "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/over18": {"essential": true} /* :-) */
    },
   "id_token":
    {
     "auth_time": {"essential": true},
     "acr": {"values": ["urn:mace:incommon:iap:silver"] }
    }
  }

We had discussions in the OASIS IMI (RIP) where Microsoft proposed using uprove for exactly that kind of request.
https://wiki.oasis-open.org/imi/ 
There was a proposed variant of WS-* making uprove possible that added one more roundtrip compared to ws-* that was needed in InfoCards.

In general you don't know what the RP is going to ask (age>18) or (age<14) so solving this with fixed attributes is tedious and market specific.

Are you going to provide text for this query language to add to http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter ?

Cheers
Axel

http://www.theregister.co.uk/2006/03/28/infocard_identity/
http://self-issued.info/?m=200806 

-----Original Message-----
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of George Fletcher via Openid-specs-ab
Sent: Friday, November 04, 2016 8:32 PM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] How to use OIDC claims as an identity oracle

Hi,

As a relying party, I'd love to be able to ask the OpenID Provider whether the user authenticating is over a particular age. This could be used in may use cases. However, when I look at the spec, there is only a provided claim name of 'birthdate'. I don't really want the user's birth date, just an assertion that the user is over a particular age.

I don't see a way to do this via the OIDC claim mechanism. Any thoughts on how a RP may make such a request?

Thanks,
George
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list