<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">If the OP is already a
SCIM provider, this makes a lot of sense. However, for an OP with
no SCIM support, implementing SCIM for this one purpose might be a
lot of work.<br>
<br>
I agree with Nat that it would be ideal of the claim could be
returned in the id_token per the mechanism already supported by
OIDC.<br>
<br>
Thanks,<br>
George<br>
</font><br>
<div class="moz-cite-prefix">On 11/8/16 11:24 AM, Nat Sakimura
wrote:<br>
</div>
<blockquote
cite="mid:CABzCy2DsuUqVTwHsUMSd3WeJmzRJUs89qE8nvAPuhadn2xOWBg@mail.gmail.com"
type="cite">
<div dir="ltr">Good point.
<div><br>
</div>
<div>At the same time, I suspect that there are use cases where
the RP wants to have it in the ID Token. </div>
<div>Perhaps we can slightly expand Phil's draft to introduce
such possibilities. </div>
<div><br>
</div>
<div>Nat<br>
<br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Nov 9, 2016 at 1:19 AM Prateek Mishra
via Openid-specs-ab <<a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word" class="gmail_msg">
<div class="gmail_msg">George,</div>
<div class="gmail_msg"><br class="gmail_msg">
</div>
<div class="gmail_msg">Have you considered using SCIM
for these more advanced queries? SCIM includes a query
language (age above 18) and also schema for attributes
that lie outside the standard.</div>
<div class="gmail_msg"><br class="gmail_msg">
</div>
<div class="gmail_msg">Phil recently a published a draft
explaining how a OIDC client could also act as a SCIM
client within the OIDC framework.</div>
<div class="gmail_msg"><br class="gmail_msg">
</div>
<div class="gmail_msg"><a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-scim-profile-1_0.html"
class="gmail_msg" target="_blank">http://openid.net/specs/openid-connect-scim-profile-1_0.html</a></div>
</div>
<div style="word-wrap:break-word" class="gmail_msg">
<div class="gmail_msg"><br class="gmail_msg">
</div>
<div class="gmail_msg">- prateek</div>
</div>
<div style="word-wrap:break-word" class="gmail_msg"><br
class="gmail_msg">
<div class="gmail_msg">
<blockquote type="cite" class="gmail_msg">
<div class="gmail_msg">On Nov 4, 2016, at 12:32 PM,
George Fletcher via Openid-specs-ab <<a
moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
class="gmail_msg" target="_blank">openid-specs-ab@lists.openid.net</a>>
wrote:</div>
<br
class="m_852935980795523248Apple-interchange-newline
gmail_msg">
<div class="gmail_msg">Hi,<br class="gmail_msg">
<br class="gmail_msg">
As a relying party, I'd love to be able to ask the
OpenID Provider whether the user authenticating is
over a particular age. This could be used in may
use cases. However, when I look at the spec, there
is only a provided claim name of 'birthdate'. I
don't really want the user's birth date, just an
assertion that the user is over a particular age.<br
class="gmail_msg">
<br class="gmail_msg">
I don't see a way to do this via the OIDC claim
mechanism. Any thoughts on how a RP may make such
a request?<br class="gmail_msg">
<br class="gmail_msg">
Thanks,<br class="gmail_msg">
George<br class="gmail_msg">
_______________________________________________<br
class="gmail_msg">
Openid-specs-ab mailing list<br class="gmail_msg">
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
class="gmail_msg" target="_blank">Openid-specs-ab@lists.openid.net</a><br
class="gmail_msg">
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
class="gmail_msg" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br
class="gmail_msg">
</div>
</blockquote>
</div>
<br class="gmail_msg">
</div>
_______________________________________________<br
class="gmail_msg">
Openid-specs-ab mailing list<br class="gmail_msg">
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net"
class="gmail_msg" target="_blank">Openid-specs-ab@lists.openid.net</a><br
class="gmail_msg">
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
rel="noreferrer" class="gmail_msg" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br
class="gmail_msg">
</blockquote>
</div>
</div>
</div>
<div dir="ltr">-- <br>
</div>
<div data-smartmail="gmail_signature">
<p dir="ltr">Nat Sakimura</p>
<p dir="ltr">Chairman of the Board, OpenID Foundation</p>
</div>
</blockquote>
<br>
</body>
</html>