<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Aug 20, 2015 at 10:09 AM, Mike Schwartz <span dir="ltr"><<a href="mailto:mike@gluu.org" target="_blank">mike@gluu.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Is it valid to request "userinfo" related claims to be in the id_token?<br>
</blockquote></blockquote></blockquote>
<br></span>
One thing I've pointed out in the past is that a discovery requests return the claims supported, and the scopes supported, but not which claims are associated with which scopes.<br></blockquote><div><br></div><div>The spec does suggest what claims should be implied by what scopes: <a href="http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims">http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims</a></div><div><br></div><div>I interpreted that to mean if a claim is declared as supported in a discovery doc, it should be returned when the relevant scope is requested as per 5.4.</div><div><br></div><div>Though even if that's the case, there's not guarantee whether that claim would be in the id token, or userinfo response, as has been pointed out earlier.</div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
In the Gluu Server we naughtily added this one claim to discovery to help clients know which scope to request, because as Mike Jones pointed out, some OP's (like the Gluu Server) don't support individual requests for claims.<br>
<br>
Anyway... maybe if there's an OpenID Connect 2.0 at some point its worth considering. In enterprise use cases where there is custom user claims and scopes it might be more useful.<br>
<br>
"scope_to_claims_mapping": [<br>
        {<br>
            "scope": "email",<br>
            "claims": ["mail"]<br>
        },<br>
        {<br>
            "scope": "address",<br>
            "claims": [<br>
                "mail",<br>
                "street",<br>
                "l",<br>
                "st",<br>
                "postOfficeBox",<br>
                "postalCode",<br>
                "postalAddress"<br>
            ]<br>
        }<br>
]<br>
<br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div><br></div></div>