[Openid-specs-ab] How to use OIDC claims as an identity oracle

Sun Nov 13 06:53:03 UTC 2016

I always had the more XML pattern in mind where we would ad an operator
element to the claim object eg "OP": and define values for "includes" ">="
etc

Rather than expand on value and values.

I could live with it ether way, and would favor whatever is easiest to
parse for developers.

It is worth talking about.  Sometimes you want just a Y/N back.

There are privacy issues to consider.   Some argue that if the RP already
has the info and is just validating it then they don't need to ask for
consent.  This is the slippery slope to becoming a data broker.

We would also need to work on privacy guidance around notifying users that
attributes are being confirmed.

We all ready have an example of this with email address, when it is sent as
the user hint and it is sent back in the id_token as a attribute without
explicit release by the user at some IdP.

I understand the logic but don't know that it is a good president for age
or address etc.

John B.

On Nov 13, 2016 10:40, "Justin Richer via Openid-specs-ab" <
openid-specs-ab at lists.openid.net> wrote:

> This is an interesting problem, and it aligns with some of the language in
> the new version of NIST 800-63 (version 3 volume C) about “attribute
> values” vs. “attribute claims/references” (note: we’re still arguing over
> those names). Basically, where possible, the RPs want a way to ask for
> confirmation of a value (such as age check) without getting at the
> underlying data to make that calculation (like a birthdate). A general
> purpose mechanism for this kind of query and response would be generally
> useful, I believe.
>
> I rather like George’s proposed {essential: true, “>”: 18} approach, where
> “>” replaces “value”, which is the “==“ operator.
>
>  — Justin
>
> > On Nov 5, 2016, at 4:32 AM, George Fletcher via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
> >
> > Hi,
> >
> > As a relying party, I'd love to be able to ask the OpenID Provider
> whether the user authenticating is over a particular age. This could be
> used in may use cases. However, when I look at the spec, there is only a
> provided claim name of 'birthdate'. I don't really want the user's birth
> date, just an assertion that the user is over a particular age.
> >
> > I don't see a way to do this via the OIDC claim mechanism. Any thoughts
> on how a RP may make such a request?
> >
> > Thanks,
> > George
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161113/844ccd87/attachment.html>