[Openid-specs-ab] Resolving ID Token + UserInfo claim requests

Vladimir Dzhuvinov / NimbusDS vladimir at nimbusds.com
Thu Oct 11 11:18:13 UTC 2012


Thanks Roland.

I just used that to code a routine for establishing the required ID
Token claims, using the "response_type" parameter as input:

https://bitbucket.org/nimbusds/openid-connect-sdk/src/bb28665bd88d/src/com/nimbusds/openid/connect/messages/IDTokenClaimsRequest.java?at=master#cl-47

It looks succinct and nice now.


After some tinkering I found an efficient way to represent the whole
process of resolving the claims in OO Java:

* A base abstract class with methods for storing and returning the
required and requested (essential and voluntary) claims.

* Extending class for ID Token specific claims - uses the response_type
and the optional request object to resolve the three claim types.

* Extending class for UserInfo claims - uses the scope parameter and the
optional request object to resolve the three claim types.


Here is the code if someone is interested:

Base ClaimsRequest class:

https://bitbucket.org/nimbusds/openid-connect-sdk/src/bb28665bd88ddf152e206204f94790bf924e75c5/src/com/nimbusds/openid/connect/messages/ClaimsRequest.java?at=master


Extending IDTokenClaimsRequest class:

https://bitbucket.org/nimbusds/openid-connect-sdk/src/bb28665bd88ddf152e206204f94790bf924e75c5/src/com/nimbusds/openid/connect/messages/IDTokenClaimsRequest.java?at=master


Extending UserInfoClaimsRequest class:

https://bitbucket.org/nimbusds/openid-connect-sdk/src/bb28665bd88ddf152e206204f94790bf924e75c5/src/com/nimbusds/openid/connect/messages/UserInfoClaimsRequest.java?at=master



Cheers,

Vladimir

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
 







-------- Original Message --------
Subject: Re: [Openid-specs-ab] Resolving ID Token + UserInfo claim
requests
From: Roland Hedberg <roland.hedberg at adm.umu.se>
Date: Thu, October 11, 2012 10:24 am
To: Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com>
Cc: "openid-specs-ab at lists.openid.net"
<openid-specs-ab at lists.openid.net>


Hi Vladimir,

11 okt 2012 kl. 10:25 skrev Vladimir Dzhuvinov / NimbusDS
<vladimir at nimbusds.com>:

> For that. I want to ask, can we say that the following claims
> categorisation is correct:
> 
> On the top level we have REQUIRED and OPTIONAL claims:
> 
> * REQUIRED claims that the AS must include in all cases: For the IDToken
> these are the claims marked as required in Messages 2.1.1.; for UserInfo
> the "user_id" claim as per Messages 2.3.2.

Herein lies most of the messiness, a total of four special cases:
- Depending on the response_type value in the Authorization Request
'nonce' 
 is either REQUIRED or OPTIONAL. 
- at_hash is REQUIRED if the ID Token is issued together with an
access_token.
- c_hash is REQUIRED if the ID Token is issued together with a code.
- auth_time is REQUIRED if claimed in the OpenID Request Object
otherwise
 OPTIONAL.

In fact I think it's wrong to mark at_hash and c_hash as OPTIONAL
because they 
are either REQUIRED or not expected to occur.

> * OPTIONAL claims which the AS may or may not provide; of these
> depending on the client request we have as per Messages 2.1.2.1.3:
> 
> * ESSENTIAL: claims marked as crucial for the client operation.
> 
> * VOLUNTARY: claims marked as nice-to-have for the client operation.


I guess the possibly OPTIONAL ones from 2.1.1 are of the 
VOLUNTARY type, though that is not stated anywhere.
 
-- Roland
------------------------------------------------------
Roland Hedberg
IT Architect/Senior Researcher
ICT Services and System Development (ITS) 
Umeå University 
SE-901 87 Umeå, Sweden 
Phone +46 90 786 68 44
Mobile +46 70 696 68 44 
www.its.umu.se


More information about the Openid-specs-ab mailing list