[Openid-specs-ab] Issue #1117: Core 5.6.2 - behavior for distributed claims source if not all claims present not clear (openid/connect)
p_kowalik
issues-reply at bitbucket.org
Tue Oct 15 11:16:45 UTC 2019
New issue 1117: Core 5.6.2 - behavior for distributed claims source if not all claims present not clear
https://bitbucket.org/openid/connect/issues/1117/core-562-behavior-for-distributed-claims
Pawel Kowalik:
Hi,
For Aggregated Claims there is a clear language saying
> … that MUST contain all the Claims in the `_claim_names` object that references the corresponding `_claim_sources` member.
For Distributed Claims there is no such language, leaving the interpretation open what is the correct expectation. Is it an allowed behavior, that the claims source may not return some of the claims referenced in `_claim_names` ? In case the system is distributed, IdP may not know whether claim source always contains all the claims \(at least not without any back channel\).
According to 5.3.2 it is suggested that the claims may be omitted, also discouraging usage of `null` as a potential substitute for missing values.
> For privacy reasons, OpenID Providers MAY elect to not return values for some requested Claims.
>
> If a Claim is not returned, that Claim Name SHOULD be omitted from the JSON object representing the Claims; it SHOULD NOT be present with a null or empty string value.
The question appeared in the context of a certified RP client library for JavaScript “[node openid-client](https://www.npmjs.com/package/openid-client)”: [https://github.com/panva/node-openid-client/issues/197](https://github.com/panva/node-openid-client/issues/197)
Thanks,
Pawel
More information about the Openid-specs-ab
mailing list