<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Daniel<div class=""><br class=""></div><div class="">For info, there are (to the best of my knowledge) no certification tests that cover value/values (aside from one of two FAPI tests that request values for acr or ecosystem specific claims).</div><div class=""><br class=""></div><div class="">My belief is:</div><div class=""><br class=""></div><div class="">Q1 : “B”. Although I think you meant to write “family_name”: “Doe” for “B”.</div><div class=""><br class=""></div><div class="">Reasoning is that I don’t see any language that requires a non-match for one value to affect other returned values. (Except in the special cases of sub and acr where behaviour is explicitly defined.)</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Q2: “C” an error as per specific behaviour for ’sub’ defined in bullet 4 of <a href="https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation" class="">https://openid.net/specs/openid-connect-core-1_0.html#AuthRequestValidation</a></div><div class=""><br class=""></div><div class="">Cheers</div><div class=""><br class=""></div><div class="">Joseph</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On 13 Apr 2022, at 17:14, Daniel Fett via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="content-type" content="text/html; charset=UTF-8" class="">
<div class="">
Hi all,<br class="">
<br class=""><p class="">during the work on the Advanced Syntax for Claims spec, a
question came up in the eKYC working group. It seems that some
details of the constraints one can express using value/values in
OpenID Connect Core are not as clear as we thought.<br class="">
</p><p class="">The relevant bits of the spec: <a moz-do-not-send="true" href="https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests" class="moz-txt-link-freetext">https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests</a></p><p class="">Let's suppose that the OP has the following data about the
authenticated user:</p>
<ul class="">
<li class="">sub: 1337</li>
<li class="">given name: John</li>
<li class="">family name: Doe</li>
</ul><p class="">For clarity, I'll try to capture the bone of contention in two
questions. There is a potential for follow-ups, with other claim
names, essential, max_age etc., but let's focus on these examples
first:<br class="">
</p><p class="">------------------------------<br class="">
<br class="">
Q1: For this request, what should be the user claims in the ID
token?:<br class="">
<br class="">
<font face="monospace" class="">claims={<br class="">
"id_token": {<br class="">
"given_name": {<br class="">
"value": <b class="">"Albert"</b><br class="">
},<br class="">
"family_name": null<br class="">
}<br class="">
}<br class="">
</font><br class="">
(A)<br class="">
<br class="">
<font face="monospace" class="">{ "sub": "1337" }</font><br class="">
<br class="">
(All claims are omitted since the given name does not match. sub
must always be present in the ID Token, so it is not omitted.)<br class="">
<br class="">
(B)<br class="">
<br class="">
<font face="monospace" class="">{<br class="">
"sub": "1337",<br class="">
"family_name": null<br class="">
}</font><br class="">
<br class="">
(given_name is omitted as it does not match the value constraint.
The other claims are not affected by the value constraint.)<br class="">
<br class="">
(C)</p><p class="">An error is sent back to the RP. While this is explictly
forbidden in case of unavailable "essential" claims, it is not
excluded for mismatches in value/value constraints.<br class="">
</p><p class="">(D)<br class="">
something else?<br class="">
<br class="">
------------------------------<br class="">
<br class="">
Q2: What about this request?<br class="">
<br class="">
<font face="monospace" class="">claims={<br class="">
"id_token": {<br class="">
"sub": {<br class="">
"value": <b class="">"4224"</b><br class="">
}</font><font face="monospace" class=""><font face="monospace" class="">,<br class="">
"given_name": null,<br class="">
"family_name": null</font><br class="">
}<br class="">
}</font><br class="">
<br class="">
<br class="">
(A)<br class="">
<br class="">
<font face="monospace" class="">{ "sub": "1337" }</font><br class="">
<br class="">
(Again, all claims are omitted since the sub does not match, but
in order to send back a valid response, sub must be present.)<br class="">
<br class="">
(B)</p><p class="">??? Not sure what other non-error solutions there could be.<br class="">
</p><p class="">(C)<br class="">
</p><p class="">An error is sent back to the RP. <br class="">
<br class="">
(D)<br class="">
<br class="">
something else?<br class="">
</p><p class="">------------------------------</p>
-Daniel<br class="">
<br class="">
</div>
_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class="">https://lists.openid.net/mailman/listinfo/openid-specs-ab<br class=""></div></blockquote></div><br class=""></div></body></html>