[Openid-specs-ab] Issue #1116: Returning end user claims in id token (openid/connect)
jolivasf
issues-reply at bitbucket.org
Wed Oct 9 08:21:51 UTC 2019
New issue 1116: Returning end user claims in id token
https://bitbucket.org/openid/connect/issues/1116/returning-end-user-claims-in-id-token
Jorge Oliva:
Hi, while reading the docs from one of the certified products for OpenID \([https://www.npmjs.com/package/openid-client\)](https://www.npmjs.com/package/openid-client)) I have seen that:
"[Core 1.0 - Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) defines that claims requested using the scope parameter are only returned from the UserInfo Endpoint unless the response\_type is id\_token"
The exactly part in the specification say:
"The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when a response\_type value is used that results in an Access Token being issued. However, when no Access Token is issued \(which is the case for the response\_type value id\_token\), the resulting Claims are returned in the ID Token."
I'm not sure if that statement means "No put end user claims in id token unless response\_type is id\_token"...
So my question is, if i use just “code“ as response type in a request like this:
```
GET /authorize?
response_type=code
&scope=openid email
&client_id=3dfd89e1-964b-4ac4-ba46-977fc5f87db9
&request_uri=http://rp.example.com/request_obj/YTUHYJ6YHGT
Host: op.example.com
```
Then the id token returned in the **/token** endpoint \(when interchange the code\) should have the End-User claims inside \(i mean email and email\_verified\)? or should not contain this claims by specification?
Thanks!
More information about the Openid-specs-ab
mailing list