[Openid-specs-ab] How to use OIDC claims as an identity oracle

Torsten Lodderstedt torsten at lodderstedt.net
Sun Nov 13 08:40:31 UTC 2016 

FYI -  we have implemented a proprietary claim, which tells the RP the 
user is over 18. Our current implementation attests this boolean claim 
only if the age of the respective user had been verified in accordance 
with the relevant rules.

For a general solution, I would prefer to handle claim representation (I 
don't mind whether this is a simple value or a value computed using a 
highly sophisticated query language :-)) and the information about the 
verification of the underlying data separately. We had a dicussion about 
this topic during our last joined MODRNA/Mobile Connect workshop. The 
conclusion was: lets have new claims for new attributes or attributes 
with a different semantics and let's represent the data about the 
verification/validation explicitely.

best regards,
Torsten.
Am 13.11.2016 um 15:53 schrieb John Bradley via Openid-specs-ab:
>
> I always had the more XML pattern in mind where we would ad an 
> operator element to the claim object eg "OP": and define values for 
> "includes" ">=" etc
>
> Rather than expand on value and values.
>
> I could live with it ether way, and would favor whatever is easiest to 
> parse for developers.
>
> It is worth talking about.  Sometimes you want just a Y/N back.
>
> There are privacy issues to consider.   Some argue that if the RP 
> already has the info and is just validating it then they don't need to 
> ask for consent.  This is the slippery slope to becoming a data broker.
>
> We would also need to work on privacy guidance around notifying users 
> that attributes are being confirmed.
>
> We all ready have an example of this with email address, when it is 
> sent as the user hint and it is sent back in the id_token as a 
> attribute without explicit release by the user at some IdP.
>
> I understand the logic but don't know that it is a good president for 
> age or address etc.
>
> John B.
>
>
> On Nov 13, 2016 10:40, "Justin Richer via Openid-specs-ab" 
> <openid-specs-ab at lists.openid.net 
> <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
>     This is an interesting problem, and it aligns with some of the
>     language in the new version of NIST 800-63 (version 3 volume C)
>     about “attribute values” vs. “attribute claims/references” (note:
>     we’re still arguing over those names). Basically, where possible,
>     the RPs want a way to ask for confirmation of a value (such as age
>     check) without getting at the underlying data to make that
>     calculation (like a birthdate). A general purpose mechanism for
>     this kind of query and response would be generally useful, I believe.
>
>     I rather like George’s proposed {essential: true, “>”: 18}
>     approach, where “>” replaces “value”, which is the “==“ operator.
>
>      — Justin
>
>     > On Nov 5, 2016, at 4:32 AM, George Fletcher via Openid-specs-ab
>     <openid-specs-ab at lists.openid.net
>     <mailto:openid-specs-ab at lists.openid.net>> wrote:
>     >
>     > Hi,
>     >
>     > As a relying party, I'd love to be able to ask the OpenID
>     Provider whether the user authenticating is over a particular age.
>     This could be used in may use cases. However, when I look at the
>     spec, there is only a provided claim name of 'birthdate'. I don't
>     really want the user's birth date, just an assertion that the user
>     is over a particular age.
>     >
>     > I don't see a way to do this via the OIDC claim mechanism. Any
>     thoughts on how a RP may make such a request?
>     >
>     > Thanks,
>     > George
>     > _______________________________________________
>     > Openid-specs-ab mailing list
>     > Openid-specs-ab at lists.openid.net
>     <mailto:Openid-specs-ab at lists.openid.net>
>     > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>     <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>
>     _______________________________________________
>     Openid-specs-ab mailing list
>     Openid-specs-ab at lists.openid.net
>     <mailto:Openid-specs-ab at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-ab
>     <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20161113/a0889a34/attachment.html>

More information about the Openid-specs-ab mailing list