[Openid-specs-ab] Issue #1146: certification: is return an empty address object permitted (openid/connect)

josephheenan issues-reply at bitbucket.org
Thu Dec 19 14:57:19 UTC 2019

New issue 1146: certification: is return an empty address object permitted

Joseph Heenan:

We’ve run into a case where a user info response is returned with an empty address object, i.e.


  "sub": "znvZXyc-Rdv_vCf6DS1taj0Oc98uERaDjdbsBCraYRA",
  "@odata.context": "https://graph.microsoft.com/v2/66522826-e2e1-4cd9-82f5-6222397816bb/$metadata#directoryObjects/$entity",
  "@odata.type": "#Microsoft.DirectoryServices.UserInfo",
  "@odata.id": "https://graph.microsoft.com/v2/66522826-e2e1-4cd9-82f5-6222397816bb/directoryObjects/8dd678ce-eef8-4a6a-bf16-87b8da5f05e9/Microsoft.DirectoryServices.UserInfo",
  "id": "8dd678ce-eef8-4a6a-bf16-87b8da5f05e9",
  "name": "Manju",
  "address": {},
  "picture": "https://graph.microsoft.com/v1.0/me/photo/$value"

\(In this particular case the authorization request was:





[https://openid.net/specs/openid-connect-core-1\_0.html#StandardClaims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) says:


> Address.  Json Object.   End-User's preferred postal address. The value of the address member is a JSON \[RFC4627\] structure containing some or all of the members defined in Section 5.1.1.


> The Address Claim represents a physical mailing address. Implementations MAY return only a subset of the fields of an `address`, depending upon the information available and the End-User's privacy preferences. For example, the `country` and `region` might be returned without returning more fine-grained address information.
> Implementations MAY return just the full address as a single string in the formatted sub-field, or they MAY return just the individual component fields using the other sub-fields, or they MAY return both. If both variants are returned, they SHOULD be describing the same address, with the formatted address indicating how the component fields are combined.

The general language here \(“containing some”, “subset of the fields”\) makes me read this as requiring that the dictionary will always contain at least one element if present.

Clarification from the working group would be appreciated; I think the choices are:

1. The spec requires address to be non empty if present => certification fails
2. The spec recommends address is non-empty if present => certification passes, but warning issued by test tool
3. An empty address object is absolutely acceptable => certification passes \(and possibly spec language should be clarified\)

My understanding is the current python tests don’t check for this scenario.


More information about the Openid-specs-ab mailing list