[Openid-specs-ab] How to use OIDC claims as an identity oracle
Axel.Nennker at telekom.de
Axel.Nennker at telekom.de
Tue Nov 8 14:31:33 UTC 2016
In Mobile Connect's future there is an "is_adult" attribute (based on local definition) envisioned.
I guess there is potential legal trouble lingering in the "based on local definition" part if the service provider is providing age restricted stuff and the user is an adult in the OP's jurisdiction but not in the service provider's jurisdiction which might prohibit selling stuff to minors...
From: George Fletcher [mailto:gffletch at aol.com]
Sent: Tuesday, November 08, 2016 2:55 PM
To: Nennker, Axel
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] How to use OIDC claims as an identity oracle
I've heard that the GSMA Mobile Connect effort has this use case as part of the "extended data attributes" use cases and I am curious how it's going to get solved. I completely agree with your assessment of what the spec allows hence my question to the group:)
Specific claims would be very tedious.
I suppose the spec could be updated to allow operators instead of just the "essential" keyword.
"age" : {">": 12"}
Though that implies a well thought out filter mechanism and loses the ability to specify the claim as "essential".
So short term I can easily make this a RP/OP specific feature, but it seems like something more people are going to need.
Thanks,
George
On 11/8/16 8:25 AM, Axel.Nennker at telekom.de<mailto:Axel.Nennker at telekom.de> wrote:
I think that computations on claim values are not possible with the current spec.
You can only ask for proprietary claims and RP and OP would need to agree on this OOB.
Changing the example from http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
{
"userinfo":
{
"given_name": {"essential": true},
"nickname": null,
"email": {"essential": true},
"email_verified": {"essential": true},
"picture": null,
"https://schemas.xmlsoap.org/ws/2005/05/identity/claims/over18"<https://schemas.xmlsoap.org/ws/2005/05/identity/claims/over18>: {"essential": true} /* :-) */
},
"id_token":
{
"auth_time": {"essential": true},
"acr": {"values": ["urn:mace:incommon:iap:silver"] }
}
}
We had discussions in the OASIS IMI (RIP) where Microsoft proposed using uprove for exactly that kind of request.
https://wiki.oasis-open.org/imi/
There was a proposed variant of WS-* making uprove possible that added one more roundtrip compared to ws-* that was needed in InfoCards.
In general you don't know what the RP is going to ask (age>18) or (age<14) so solving this with fixed attributes is tedious and market specific.
Are you going to provide text for this query language to add to http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter ?
Cheers
Axel
http://www.theregister.co.uk/2006/03/28/infocard_identity/
http://self-issued.info/?m=200806
-----Original Message-----
From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of George Fletcher via Openid-specs-ab
Sent: Friday, November 04, 2016 8:32 PM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>
Subject: [Openid-specs-ab] How to use OIDC claims as an identity oracle
Hi,
As a relying party, I'd love to be able to ask the OpenID Provider whether the user authenticating is over a particular age. This could be used in may use cases. However, when I look at the spec, there is only a provided claim name of 'birthdate'. I don't really want the user's birth date, just an assertion that the user is over a particular age.
I don't see a way to do this via the OIDC claim mechanism. Any thoughts on how a RP may make such a request?
Thanks,
George
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161108/1e0172bf/attachment.html>
More information about the Openid-specs-ab
mailing list