[Openid-specs-ab] Essential claims with the scope value openid

Roland Hedberg roland at catalogix.se
Tue Aug 29 08:25:22 UTC 2017


> On Aug 8, 2017 7:49 AM, "Hasini Witharana" <hasinidilanka at gmail.com> wrote:
> Hi,
> 
> Currently I am working with OpenID Connect Certification basic profile. In the OP, I have configured some claims to be gained when the scope is openid. When I send a authorization request with  an essential claim I will get all claims for openid and the essential claim. In the specifications there is no, rule as It should return only the essential claim. "OP-claims-essential" test is failing because unexpected claims are returned. Can you please clarify this issue?

Must be my long vacation :-) but I’m not sure I understand what you’re saying here.
This is my interpretation.

1) you have an OP that returns a set of claims when the scope is ’openid’.
As John said that set should only be ’subject’ and ’issuer’.

2) You run the ’OP-claims-essential’ test using the OpenID test tool.
This will send an authorization request including one essential claim (’name’)

So, you should expect to get back ’subject’, ’issuer’ and ’name’.

Now, You say that the test fails due to ’unexpected claims’ being returned.
This means your OP returns more claims then these three.
I don’t know what the extra claims are but as John and Nat has pointed out your OP MUST not return
claims that are not asked for.

If my interpretation is right the test tool does exactly what it should.

-- Roland
"Education is the path from cocky ignorance to miserable uncertainty.” - Mark Twain



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170829/bfab0c5f/attachment.asc>


More information about the Openid-specs-ab mailing list