[Openid-specs-ab] user claims in id_token

Preibisch, Sascha H Sascha.Preibisch at ca.com
Fri Aug 28 18:22:23 UTC 2015


Thanks Torsten!

So I would simply include "claims" as URL encoded value something like below:

Claim as JSON:

{"id_token":{"given_name": {"essential": true}}

And then in my authorization request like:

?...response_type=code&client_id=xyz&claims=%7B%22id_token%E2%80%9D%3A%7B%22given_name%22%3A%20%7B%22essential%22%3A%20true%7D%7D

That is simple enough. That wasn't obvious to me when reading the spec.

Thank you,
Sascha

From: Torsten Lodderstedt <torsten at lodderstedt.net<mailto:torsten at lodderstedt.net>>
Date: Friday, August 28, 2015 at 2:57 AM
To: Sascha Preibisch <sascha.preibisch at ca.com<mailto:sascha.preibisch at ca.com>>, Mike Jones <Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>, "openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net> Ab" <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Subject: Re: [Openid-specs-ab] user claims in id_token

Hi Sascha,

you don't need to use the request object, the plain request parameter does the job as well. And it should work across response types.

best regards,
Torsten.

Am 18.08.2015 um 23:35 schrieb Preibisch, Sascha H:
Thanks Mike!

And the second part of my question which I forgot:

  *   will these claims endup in the id_token only if a request object is used?

As far as I see it the response_type "id_token" would do the same but not other response_types like "token id_token"
Sascha

From: Mike Jones <<mailto:Michael.Jones at microsoft.com>Michael.Jones at microsoft.com<mailto:Michael.Jones at microsoft.com>>
Date: Tuesday, August 18, 2015 at 2:31 PM
To: Sascha Preibisch <sascha.preibisch at ca.com<mailto:sascha.preibisch at ca.com>>, "openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net> Ab" <openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net>>
Subject: RE: user claims in id_token

Yes, this is valid as the value of a "claims" request parameter.  Bear in mind that not all servers support this parameter, however, so your results will vary depending upon the server used.

                                                                -- Mike

From: Openid-specs-ab [<mailto:openid-specs-ab-bounces at lists.openid.net>mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Preibisch, Sascha H
Sent: Tuesday, August 18, 2015 2:28 PM
To: openid-specs-ab at lists.openid.net<mailto:openid-specs-ab at lists.openid.net> Ab
Subject: [Openid-specs-ab] user claims in id_token

Hi!

I almost feel bad to ask because I should find the answer in the spec. But I did not find it.

Is it valid to request "userinfo" related claims to be in the id_token?

Can I sent a request object like shown below? I would like to avoid the call to the /userinfo endpoint.

Thanks, Sascha

{

   "userinfo":

    {

     "given_name": {"essential": true},

     "nickname": null,

     "email": {"essential": true},

     "email_verified": {"essential": true},

     "picture": null,

     "http://example.info/claims/groups": null

    },

   "id_token":

    {

     "given_name": {"essential": true},

     "nickname": null,

     "email": {"essential": true}

    }

  }



_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150828/151869e3/attachment-0001.html>


More information about the Openid-specs-ab mailing list