[Openid-specs-ab] How to use OIDC claims as an identity oracle

Nat Sakimura sakimura at gmail.com
Tue Nov 8 16:21:19 UTC 2016 

Japanese MNOs are providing it as part of child protection.

Nat

On Wed, Nov 9, 2016 at 12:59 AM John Bradley via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> I don’t know of anyone providing a validated age at this point.
> Most people are asking for age.
>
> Even for MNO validated age is complicated because you have people who are
> using the phone on a family plan that are not the account holder.
> It needs a bunch of backend account management work to create and validate
> attributes for someone other than the primary account holder,
> and even that can be dodgy as lots of people have phones on there parents
> credit cards/ identity.
>
> That may wind up being something that someone like a civil registry or
> Drivers licence would provide as a distributed or aggregated claim.
>
> John B.
>
> On Nov 8, 2016, at 12:53 PM, George Fletcher <gffletch at aol.com> wrote:
>
> A new claim would be fine. I am trying to be a "good" RP and only ask for
> what is needed :) I do agree that with the operator mechanism, it's easy to
> find the age so maybe what Marc suggested would be the easiest. A new claim
> for age with an expected response of a integer. And maybe the claim is just
> not returned if the OP doesn't have a value to provide. This would also
> allow the user to not send their age via the consent flow.
>
> How are other RP's dealing with this issue? Using the existing 'birthdate'
> claim?
>
> Thanks,
> George
>
> On 11/8/16 10:43 AM, John Bradley wrote:
>
> It would likely need to be a new claim to avoid stepping on existing semantics.
>
> Claim request can be an object.   The only elements that we have reserved are “essential” , “value” and “values”  nothing stopes us from defining an operator for one or more claims.
>
> The default operator is equals eg
> "sub": {"value": "248289761001”}
>
> We could have a new verified_age { “essential”: true , “value”: 18 , “op”: “ge” }
> Return true or false.
>
> With operators lt, le, eq , ge, gt  or something like that.
>
> That would let the RP specify what they need as an adult in there jurisdiction.
>
> On the other hand if people are handing out verified birthdates anyway this may be a more work that it is worth.
>
> Are people people more likely to consent to giving out are you over 18 vs birthdate.
>
> The downside of letting people ask for a year is that they can ask multiple times to find the year, so perhaps you would make them register the value for there area to prevent that.
>
> John B.
>
>
>
> On Nov 8, 2016, at 10:55 AM, George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net> <openid-specs-ab at lists.openid.net> wrote:
>
> I've heard that the GSMA Mobile Connect effort has this use case as part of the "extended data attributes" use cases and I am curious how it's going to get solved. I completely agree with your assessment of what the spec allows hence my question to the group:)
>
> Specific claims would be very tedious.
>
> I suppose the spec could be updated to allow operators instead of just the "essential" keyword.
>
> "age" : {">": 12"}
>
> Though that implies a well thought out filter mechanism and loses the ability to specify the claim as "essential".
>
> So short term I can easily make this a RP/OP specific feature, but it seems like something more people are going to need.
>
> Thanks,
> George
>
> On 11/8/16 8:25 AM, Axel.Nennker at telekom.de wrote:
>
> I think that computations on claim values are not possible with the current spec.
> You can only ask for proprietary claims and RP and OP would need to agree on this OOB.
>
> Changing the example from http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
>
> {
>    "userinfo":
>     {
>      "given_name": {"essential": true},
>      "nickname": null,
>      "email": {"essential": true},
>      "email_verified": {"essential": true},
>      "picture": null,
>      "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/over18" <https://schemas.xmlsoap.org/ws/2005/05/identity/claims/over18>
> : {"essential": true} /* :-) */
>     },
>    "id_token":
>     {
>      "auth_time": {"essential": true},
>      "acr": {"values": ["urn:mace:incommon:iap:silver"] }
>     }
>   }
>
> We had discussions in the OASIS IMI (RIP) where Microsoft proposed using uprove for exactly that kind of request.
> https://wiki.oasis-open.org/imi/
>
> There was a proposed variant of WS-* making uprove possible that added one more roundtrip compared to ws-* that was needed in InfoCards.
>
> In general you don't know what the RP is going to ask (age>18) or (age<14) so solving this with fixed attributes is tedious and market specific.
>
> Are you going to provide text for this query language to add to http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
>  ?
>
> Cheers
> Axel
>
> http://www.theregister.co.uk/2006/03/28/infocard_identity/http://self-issued.info/?m=200806
>
>
> -----Original Message-----
> From: Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net <openid-specs-ab-bounces at lists.openid.net>
> ] On Behalf Of George Fletcher via Openid-specs-ab
> Sent: Friday, November 04, 2016 8:32 PM
> To: openid-specs-ab at lists.openid.net
>
> Subject: [Openid-specs-ab] How to use OIDC claims as an identity oracle
>
> Hi,
>
> As a relying party, I'd love to be able to ask the OpenID Provider whether the user authenticating is over a particular age. This could be used in may use cases. However, when I look at the spec, there is only a provided claim name of 'birthdate'. I don't really want the user's birth date, just an assertion that the user is over a particular age.
>
> I don't see a way to do this via the OIDC claim mechanism. Any thoughts on how a RP may make such a request?
>
> Thanks,
> George
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>  _______________________________________________
> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-- 

Nat Sakimura

Chairman of the Board, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161108/72c8cb25/attachment.html>

More information about the Openid-specs-ab mailing list