<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><a href="https://openid.net/specs/openid-connect-core-1_0-32.html">https://openid.net/specs/openid-connect-core-1_0-32.html</a> clarifies that “<span style="font-size:12.0pt;font-family:"Verdana",sans-serif;color:black;background:white">It
is not an error condition to not return a requested Claim.</span>”<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">There are many reasons why a requested claim may not be provided. The OP may not have it. The End-User may not have consented to its release. Asking for a claim and not receiving it is not an error condition. It’s up to the RP to decide
how to handle that eventually.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> -- Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Openid-specs-ab <openid-specs-ab-bounces@lists.openid.net>
<b>On Behalf Of </b>Joseph Heenan via Openid-specs-ab<br>
<b>Sent:</b> Friday, September 29, 2023 8:08 AM<br>
<b>To:</b> Artifact Binding/Connect Working Group <openid-specs-ab@lists.openid.net><br>
<b>Cc:</b> Joseph Heenan <joseph@authlete.com><br>
<b>Subject:</b> Re: [Openid-specs-ab] Handling of invalid claim values within claims request parameter<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi Kai<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I’m not sure any of these cases are really strictly defined. Certainly we don’t test any behaviours like this in any of the OpenID Foundation conformance tests, although the testing of the claims perhaps is certainly not comprehensive.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Rejecting the request seems fine.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Accepting the request but ignoring parts of it is probably acceptable as I can’t see anything that really defines the behaviour in this case. You should probably NOT return any claims where the request for that claim is invalid. The caveat
would be that by ignoring that part of the request you’re also losing your ability to tell the developer why their request is not working as they expected, which makes it harder for them to figure out what they’ve done wrong and hence harder for them to fix
their request to be valid.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">In reality we really shouldn’t be expecting a situation like this to occur except when a developer has badly misread the specification, and hence my instinct is we should err towards returning an error that tells the developer what they’ve
done wrong.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">(For clarity the above is not an official position of the OpenID Foundation.)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Joseph<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 28 Sep 2023, at 14:06, Kai Lehmann via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Hi,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The OIDCC spec allows RPs to request individual claims with the claims parameter:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><a href="https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests"><span style="color:#0563C1">https://openid.net/specs/openid-connect-core-1_0.html#IndividualClaimsRequests</span></a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I was wondering how strict the OP should be in handling invalid claim values within this request. For example:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">{<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> “first_name”: “INVALID”,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> “last_name”: 5,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> “email”: {<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> “essential”: “INVALID”<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> }<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">}<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">My interpretation of “The member values MUST be one of the following …” would be that the claims request parameter would be invalid if it contained invalid member values and thus the server should reject the request with a redirect back
to the RP’s provided redirect_uri with invalid_request error. Would a more relaxed parsing (ignoring invalid claim parameters) also be an option and still in accordance with the specification?<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Best regards,<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Kai<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">_______________________________________________<br>
Openid-specs-ab mailing list<br>
</span><a href="mailto:Openid-specs-ab@lists.openid.net"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#0563C1">Openid-specs-ab@lists.openid.net</span></a><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br>
</span><a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:#0563C1">https://lists.openid.net/mailman/listinfo/openid-specs-ab</span></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</body>
</html>