[Openid-specs-ab] How to use OIDC claims as an identity oracle

Tue Nov 8 13:55:27 UTC 2016

I've heard that the GSMA Mobile Connect effort has this use case as part 
of the "extended data attributes" use cases and I am curious how it's 
going to get solved. I completely agree with your assessment of what the 
spec allows hence my question to the group:)

Specific claims would be very tedious.

I suppose the spec could be updated to allow operators instead of just 
the "essential" keyword.

"age" : {">": 12"}

Though that implies a well thought out filter mechanism and loses the 
ability to specify the claim as "essential".

So short term I can easily make this a RP/OP specific feature, but it 
seems like something more people are going to need.

Thanks,
George

On 11/8/16 8:25 AM, Axel.Nennker at telekom.de wrote:
> I think that computations on claim values are not possible with the current spec.
> You can only ask for proprietary claims and RP and OP would need to agree on this OOB.
>
> Changing the example from http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
> {
>     "userinfo":
>      {
>       "given_name": {"essential": true},
>       "nickname": null,
>       "email": {"essential": true},
>       "email_verified": {"essential": true},
>       "picture": null,
>       "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/over18": {"essential": true} /* :-) */
>      },
>     "id_token":
>      {
>       "auth_time": {"essential": true},
>       "acr": {"values": ["urn:mace:incommon:iap:silver"] }
>      }
>    }
>
> We had discussions in the OASIS IMI (RIP) where Microsoft proposed using uprove for exactly that kind of request.
> https://wiki.oasis-open.org/imi/
> There was a proposed variant of WS-* making uprove possible that added one more roundtrip compared to ws-* that was needed in InfoCards.
>
> In general you don't know what the RP is going to ask (age>18) or (age<14) so solving this with fixed attributes is tedious and market specific.
>
> Are you going to provide text for this query language to add to http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter ?
>
> Cheers
> Axel
>
> http://www.theregister.co.uk/2006/03/28/infocard_identity/
> http://self-issued.info/?m=200806
>
> -----Original Message-----
> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of George Fletcher via Openid-specs-ab
> Sent: Friday, November 04, 2016 8:32 PM
> To: openid-specs-ab at lists.openid.net
> Subject: [Openid-specs-ab] How to use OIDC claims as an identity oracle
>
> Hi,
>
> As a relying party, I'd love to be able to ask the OpenID Provider whether the user authenticating is over a particular age. This could be used in may use cases. However, when I look at the spec, there is only a provided claim name of 'birthdate'. I don't really want the user's birth date, just an assertion that the user is over a particular age.
>
> I don't see a way to do this via the OIDC claim mechanism. Any thoughts on how a RP may make such a request?
>
> Thanks,
> George
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161108/794dff81/attachment.html>