Unfortunately other work obligations kept me from attending the last in-person WG meeting but, had I been there, I would have expressed the same hesitation around the claims_in_id_token scope. It can work and if there's consensus for it, that's fine. But it is rather awkward and I wanted to raise the question.<br>
<br>Your point about the "openid" scope is taken but I'd argue that even though it does alter/augment the rest of the exchange, that's a necessary piece to bootstrap the whole connect SSO flow. And even with that it still seems to fit the OAuth concept of a scope - in that it enables access to the user_id<tt></tt>
Claim at the protected resource that is the UserInfo Endpoint. Where claims_in_id_token as a scope is just a flag on the request to indicate how the response is formed (or is it also somehow intended to constrain client access to the UserInfo Endpoint?).<br>
<br><br><br><div class="gmail_quote">On Tue, Jun 5, 2012 at 11:09 AM, Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">We discussed having separate scopes like email_id at the in-person working group meeting at Yahoo! and explicitly rejected that approach. We’re not trying
to provide fine-grained control with scopes. (If you need that, use a request object.) We are providing a binary switch saying that the scope-requested claims are to be returned in a different place. As such, at least as I see it, the logical place to make
that declaration is also as a scope value.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Per Brian’s comment about special treatment for scope values – that was already true without claims_in_id_token. The “openid” scope alters/augments the semantics
of the rest of the entire OAuth exchange (including enabling the id_token). Compared to that, the special handling for the claims_in_id_token scope value is much less pervasive in impact.<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">For what it’s worth, I’m strongly against defining a new parameter when the consensus decision at the in-person working group was to use a scope value. We
specifically discussed that approach and agreed upon it. I believe that if we’re going even consider changing that, we should likewise do so at another in-person working group meeting. The reason I say that is that the decisions made in March at Yahoo! were
*<b>much</b>* more widely reviewed and discussed than most working group decisions, and so should be accorded special respect. (That’s the reason we decide consequential things at in-person WG meetings, after all.)<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> John Bradley [mailto:<a href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>]
<br>
<b>Sent:</b> Tuesday, June 05, 2012 9:53 AM<br>
<b>To:</b> Brian Campbell<br>
<b>Cc:</b> Mike Jones; <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-ab] May 25, 2012 OpenID Connect Update Release<u></u><u></u></span></p>
</div>
</div><div><div class="h5">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I don't know that anyone is deeply attached to having it as a scope. The idea was to not require a request object.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Scopes implicitly specify the RS endpoint. This is sort of modifying the endpoint for other scopes, and I understand that is a touch awkward.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Would something like having separate scopes like:<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">email_id<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">profile_id<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">phone_id <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal">address_id<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">If you ask for email it comes back from user_info and if you ask for email_id it is in the id_token.<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">Or is there something else you are thinking such as adding an extra parameter? We are trying not to diverge from OAuth as much as possible. (Yes I know id_token is a big divergence)<u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">If people don't like the <span><span style="font-family:"Courier New";color:#003366">claims_in_id_token
</span></span><span>scope then lets get alternate proposals on the table quickly.</span><u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">John B.<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<div>
<p class="MsoNormal">On 2012-06-05, at 12:25 PM, Brian Campbell wrote:<u></u><u></u></p>
</div>
<p class="MsoNormal"><br>
<br>
<u></u><u></u></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">I'm trying to understand why a scope was used to indicate the desire for user info claims to be returned in the ID Token? It really seems like something that should be isolated to a flag on the request (a new
parameter or something in the request object). It feels out of place as a scope and will require ASs to have special conditional treatment of that one scope value (which I'd like to avoid as I'd think most implementers would).
<br>
<br>
<u></u><u></u></p>
<div>
<p class="MsoNormal">On Sat, May 26, 2012 at 12:13 AM, Mike Jones <<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>> wrote:<u></u><u></u></p>
<div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
<ul type="disc">
<li class="MsoNormal">
<span style="font-family:"Verdana","sans-serif"" lang="EN">Added scope value </span>
<span style="font-family:"Courier New";color:#003366" lang="EN">claims_in_id_token</span><span style="font-family:"Verdana","sans-serif"" lang="EN"> as a switch to indicate that the UserInfo claims should be returned in the ID Token, per issue #561</span><u></u><u></u></li>
</ul>
</div>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></p>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
</div></div></div>
</div>
</blockquote></div><br>