[Openid-specs-ab] How to use OIDC claims as an identity oracle
Justin Richer
jricher at mit.edu
Sun Nov 13 01:40:15 UTC 2016
This is an interesting problem, and it aligns with some of the language in the new version of NIST 800-63 (version 3 volume C) about “attribute values” vs. “attribute claims/references” (note: we’re still arguing over those names). Basically, where possible, the RPs want a way to ask for confirmation of a value (such as age check) without getting at the underlying data to make that calculation (like a birthdate). A general purpose mechanism for this kind of query and response would be generally useful, I believe.
I rather like George’s proposed {essential: true, “>”: 18} approach, where “>” replaces “value”, which is the “==“ operator.
— Justin
> On Nov 5, 2016, at 4:32 AM, George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>
> Hi,
>
> As a relying party, I'd love to be able to ask the OpenID Provider whether the user authenticating is over a particular age. This could be used in may use cases. However, when I look at the spec, there is only a provided claim name of 'birthdate'. I don't really want the user's birth date, just an assertion that the user is over a particular age.
>
> I don't see a way to do this via the OIDC claim mechanism. Any thoughts on how a RP may make such a request?
>
> Thanks,
> George
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list