[Openid-specs-fapi] Issue #450: What should the claims field hold? (openid/fapi)
Takahiko Kawasaki
issues-reply at bitbucket.org
Mon Oct 4 19:27:29 UTC 2021
New issue 450: What should the claims field hold?
https://bitbucket.org/openid/fapi/issues/450/what-should-the-claims-field-hold
Takahiko Kawasaki:
“[6.4. Query Status of a Grant](https://openid.net/specs/fapi-grant-management-ID1.html#name-query-status-of-a-grant)” explains the `claims` field as follows.
* `claims`: JSON array containing the names of all OpenID Connect claims \(see \[[OpenID](https://openid.net/specs/fapi-grant-management-ID1.html#OpenID)\]\) as requested and consented in one or more authorization requests associated with the respective grant.
What should the `claims` field hold when claims contained in the ID token and the UserInfo response are different from the consented ones? For example, the user may permit the `profile` scope and the special scope is expanded to `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender`, `birthdate`, `zoneinfo`, `locale`, and `updated_at` claims \(cf. OIDC Core [Section 5.4](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims)\). However, it is rare that all the claims are included in the ID token and/or the UserInfo response.
Should the `claims` field contain all the consented claims even when they are not actually included in the ID token and the UserInfo response?
More information about the Openid-specs-fapi
mailing list