[Openid-specs-ab] A request for all possible claims (was OpenID Connect for Identity Proofing)

Marcos Sanz sanz at denic.de
Mon Sep 16 08:37:14 UTC 2019


Hi all,

while taking a look at  
https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#rfc.section.5.1 
I stumbled* upon

--
Note: A claims sub-element with value null is interpreted as a request for 
all possible Claims. An example is shown in the following:
{ 
   "userinfo":{ 
      "verified_claims":{ 
         "claims":null
      }
   } 
}
Note: The claims sub-element can be omitted, which is equivalent to a 
claims element whose value is null.
--

This is a very powerful/useful request type. As a matter of fact we are 
using something similar and would like to extend this expressiveness it to 
non-verified claims (details on the use case with pleasure upon request). 
>From what we see, the OIDC core doesn't have something comparable though 
and we were wondering, what would be the best OIDC syntax to deal with it.

A) First possibility, mimicking the verified claims world, the auth 
request contains at the top level

{
   "userinfo": null
}

(also read "id_token" instead of "userinfo" if you want to)

B) Second possibility, introducing a "special" claim name with a wildcard 
meaning, e.g.:

  {
   "userinfo":
    {
     "*": null
    }
  }

C) Whatever you suggest.

Any guidance on this would be welcome.

Thanks and regards
Marcos

* Three "Note:" in a row are probably not the best stylistics.. :-)


More information about the Openid-specs-ab mailing list