[Openid-specs-ab] [openid/connect] Common UserInfo "verified_claims" claim? (issue #809)

Vladimir Dzhuvinov / NimbusDS vladimir at nimbusds.com
Tue Mar 12 07:37:02 UTC 2013

Hi Tim,

Do you mean the case when the UserInfo claims are shipped with the ID

To stress that the listed verified claim names apply only to the
UserInfo, it could be called "verified_userinfo_claims" instead. It
should be possible to insert this claim into the ID token just as any
other UserInfo claim. The total UserInfo claim count should not be
affected, and may even be reduced if people see a need for extending
"verified" to phone number as previously suggested.


Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com

-------- Original Message --------
Subject: Re: [Openid-specs-ab] [openid/connect] Common UserInfo
"verified_claims" claim? (issue #809)
From: Tim Bray <tbray at textuality.com>
Date: Tue, March 12, 2013 6:43 am
To: Vladimir Dzhuvinov <issues-reply at bitbucket.org>
Cc: "<openid-specs-ab at lists.openid.net>"
<openid-specs-ab at lists.openid.net>

[Insert standard grumpy note about the impact of redesigning the ID
Token payload structure at this stage of the process.]


 On Mon, Mar 11, 2013 at 11:34 PM, Vladimir Dzhuvinov
<issues-reply at bitbucket.org> wrote:
 --- you can reply above this line ---
 New issue 809: Common UserInfo "verified_claims" claim?
 Vladimir Dzhuvinov:
 Hi guys,
 The other day I went to my bank to have my electronic signature updated
and realised that the concept of verification can actually apply to
other claims such as name and date of birth (not just email and phone
numbers). Specifying an additional "x_verified" for each claim that can
be potentially verified however seems too much.
 How about defining a single common claim, represented by a JSON array
of strings, to list all claim names, of those returned with the
UserInfo, that the IdP wishes to mark as verified? This claim could be
called "verified_claims".
 For instance, if the email and phone number returned with the UserInfo
have been verified:
     "verified_claims" : [ "email", "phone_number" ]
 Or names and address:
     "verified_claims" : [ "name", "given_name", "middle_name",
"family_name", "address"]
 If none of the returned claims are verified, the array could be empty
or entirely omitted:
     "verified_claims" : [ ]
 This mechanism for indicating verified claims could potentially be used
for custom (outside the std. schema) claims as well:
     "verified_claims" : ["x-custom", "y-custom", "z-custom"]
 This is an issue notification from bitbucket.org. You are receiving
 this either because you are the owner of the issue, or you are
 following the issue.
 Openid-specs-ab mailing list
 Openid-specs-ab at lists.openid.net

Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net

More information about the Openid-specs-ab mailing list