[Openid-specs-ab] Handling of invalid claim values within claims request parameter

Michael Jones michael_b_jones at hotmail.com
Sat Sep 30 20:14:40 UTC 2023 

Oh – I see.  Yes, if the request is syntactically invalid, then an error is called for.  The one caveat is this paragraph:
Other members MAY be defined to provide additional information about the requested Claims. Any members used that are not understood MUST be ignored.

But that doesn’t apply to Kai’s examples.

                                                       -- Mike

From: Joseph Heenan <joseph at authlete.com>
Sent: Saturday, September 30, 2023 12:47 PM
To: Michael Jones <michael_b_jones at hotmail.com>
Cc: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
Subject: Re: [Openid-specs-ab] Handling of invalid claim values within claims request parameter

Hi Mike

The particular case Kai is asking about is where the RP makes a syntactically invalid request for a claim - I think that is okay to treat as an error?

Joseph



On 30 Sep 2023, at 20:31, Michael Jones <michael_b_jones at hotmail.com<mailto:michael_b_jones at hotmail.com>> wrote:

https://openid.net/specs/openid-connect-core-1_0-32.html clarifies that “It is not an error condition to not return a requested Claim.”

There are many reasons why a requested claim may not be provided.  The OP may not have it.  The End-User may not have consented to its release.  Asking for a claim and not receiving it is not an error condition.  It’s up to the RP to decide how to handle that eventually.

                                                       -- Mike

From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net<mailto:openid-specs-ab-bounces at lists.openid.net>> On Behalf Of Joseph Heenan via Openid-specs-ab
Sent: Friday, September 29, 2023 8:08 AM
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Cc: Joseph Heenan <joseph at authlete.com<mailto:joseph at authlete.com>>
Subject: Re: [Openid-specs-ab] Handling of invalid claim values within claims request parameter

Hi Kai

I’m not sure any of these cases are really strictly defined. Certainly we don’t test any behaviours like this in any of the OpenID Foundation conformance tests, although the testing of the claims perhaps is certainly not comprehensive.

Rejecting the request seems fine.

Accepting the request but ignoring parts of it is probably acceptable as I can’t see anything that really defines the behaviour in this case. You should probably NOT return any claims where the request for that claim is invalid. The caveat would be that by ignoring that part of the request you’re also losing your ability to tell the developer why their request is not working as they expected, which makes it harder for them to figure out what they’ve done wrong and hence harder for them to fix their request to be valid.

In reality we really shouldn’t be expecting a situation like this to occur except when a developer has badly misread the specification, and hence my instinct is we should err towards returning an error that tells the developer what they’ve done wrong.

(For clarity the above is not an official position of the OpenID Foundation.)

Thanks

Joseph




On 28 Sep 2023, at 14:06, Kai Lehmann via Openid-specs-ab <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>> wrote:

Hi,

The OIDCC spec allows RPs to request individual claims with the claims parameter:

https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests

I was wondering how strict the OP should be in handling invalid claim values within this request. For example:

{
  “first_name”: “INVALID”,
  “last_name”: 5,
  “email”: {
    “essential”: “INVALID”
  }
}

My interpretation of “The member values MUST be one of the following …” would be that the claims request parameter would be invalid if it contained invalid member values and thus the server should reject the request with a redirect back to the RP’s provided redirect_uri with invalid_request error. Would a more relaxed parsing (ignoring invalid claim parameters) also be an option and still in accordance with the specification?

Best regards,
Kai

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230930/762bf322/attachment-0001.html>

More information about the Openid-specs-ab mailing list