[Openid-specs-ab] Special spec call notes 15-Jun-12

Vladimir Dzhuvinov / NimbusDS vladimir at nimbusds.com
Fri Jun 15 20:40:07 UTC 2012

Thank you guys for settling the claims_in_id_token issue.

I have to say I thought a lot about it, also from the broader
perspective of OAuth 2.0. But couldn't see a way to encode it, apart
from the existing request object method, that would feel right and
sound. So the decision to drop it is probably the best that could be
done in this situation.

Still, I now realise it will make sense to simplify this request for
clients and I plan to add an explicit option to our SDK API to request
the claims to be packed into the ID token (and let the SDK internals
construct the appropriate request object for this).


Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com

-------- Original Message --------
Subject: [Openid-specs-ab] Special spec call notes 15-Jun-12
From: Mike Jones <Michael.Jones at microsoft.com>
Date: Fri, June 15, 2012 6:11 pm
To: "openid-specs-ab at lists.openid.net"
<openid-specs-ab at lists.openid.net>

  Special spec call notes 15-Jun-12
 Special call about syntax for requesting claims in the ID Token
 Nat Sakimura
 Nov Matake
 Brian Campbell
 Justin Richer
 Amanda Anganes
 Sascha Preibisch
 Mike Jones
 Ryo Ito
 Roland Hedberg
 George Fletcher
                Requesting claims in the ID Token
                Enabling the use of URIs as OAuth client_id values
                Call scheduling
 Nat prepared a document with the possible set of choices before the
 There was significant discussion of the choices, some of which is
captured below
 There is consensus that we need the ability to return claims in the ID
 We already have a means of requesting claims in the ID Token via the
OpenID Request Object
                This wasn't clear to Brian, Justin, and Roland
                We probably need to add an example
 Brian:    He is displaying scope values to the user for approval
 Nat:       Concurred that IdPs may authorize release of claims based
upon scope values
 Brian:    Argued that the openid scope is an authorization for SSO, and
so can be approved too
 Justin:    Also said that he's displaying scope-based requests to the
 Mike:     The openid scope modifies the behavior of the OAuth request
as a switch
 Nat:       The claims_in_id_token scope is a pure switch
 Mike:     There is the need to authorize the release of claims not
requested by scopes
 Brian:    In some enterprise contexts, consent to release claims is
 Roland: Release of claims should require consent in SAML as well
                This was discussed in the higher ed community
 Justin:    Putting claims in the ID Token is an advanced use case
 Mike:     Claims in the ID Token is simpler than claims in UserInfo
endpoint - UserInfo is the advanced case
 George:               ID Tokens were designed to be small - not all
claims are needed for session management
 Mike:     Claims in ID Token may be the primary way requests are made
 Justin:    Mitre plans to use the UserInfo endpoint primarily
 Nov:      Claims in ID Token is not a major use case
 Sascha: Claims in ID Token are designed just for session state
 Nat:       Does returning claims in ID token warrant additional scope
                Most people said "no" based on an IETF-style "hum"
 Therefore, we will remove the claims_in_id_token scope value
                Claims in the ID Token can still be requested using the
OpenID Request Object
 Enabling the use of URIs as OAuth client_id values:
                Mike:     Raised the issue of including colons in OAuth
                Brian:    Agreed that colon should not be disallowed
                Justin:    Suggested that the client_id always be
encoded when using HTTP Basic
                               He said so on the OAuth list
                Others also agreed that this is important
 Call scheduling
                We will move the Thursday call to this time (7am
                This time works better for Europeans and some US East
Coast participants
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net

More information about the Openid-specs-ab mailing list