[openid-specs-rande] SAML to OIDC mapping specification

Mischa Salle msalle at nikhef.nl
Tue Mar 9 11:47:32 UTC 2021 

Hi Etienne, all,

On Tue, Mar 09, 2021 at 12:07:32PM +0100, Etienne Dysli Metref wrote:
> On 09.03.21 10:17, Alan Buxey wrote:
> > there is prior art here - eg
> > https://github.com/IdentityServer/IdentityServer3/blob/master/source/Core/Constants.cs#L438
> 
> These are just the standard claims from
> https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
> 
> > attribute names come through as snake_case from the JWT token in json.
> 
> Where is it specified that JWT claim names have to be snake_cased?

they don't have to, there is no spec demanding that.
It does seem to be more common though.

> > also, as a case example: in the UK, the National Health Service (NHS)
> > when migrating to SAML moved their CamelCase
> > attributes to the lower case (often underscore separated) values
> > 
> > https://developer.nhs.uk/apis/spine-core/legacy_authorisation.html
> > https://digital.nhs.uk/services/nhs-identity/guidance-for-developers/detailed-guidance/scopes-and-claims
> 
> Please cite an actual specification instead of random examples of people
> doing all sorts of things.

although I agree that there isn't a spec requiring the use of snake_case
over camelCase, I think it does make sense that (lacking such spec) we
look at what is commonly done for OIDC and JWTs in general.
I think indeed that your suggestion of a vote is probably the best way
at this moment, but it would be good to do that based on what we see is
mostly done and as such it's good to have a number of examples.
After making a decision, some implementation will need to change.

> > there are probably considered reasons why certain things have been
> > undertaken - e.g. JSON is case sensitive
> 
> Then cite those reasons and their backing arguments, so we can consider
> them instead of just guessing.

I think it could also be good to ask a bit broader within the OpenID
Foundation to see what other WGs are doing.
It seems virtually all OIDF-based specs are using snake_case for the
registered or to-be-registered claims but I don't know if that's policy
or coincidence.

Cheers
Mischa

-- 
Nikhef                      Room  H155
Science Park 105            Tel.  +31-20-592 5102
1098 XG Amsterdam           Fax   +31-20-592 5155
The Netherlands             Email msalle at nikhef.nl
  __ .. ... _._. .... ._  ... ._ ._.. ._.. .._..
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://lists.openid.net/pipermail/openid-specs-rande/attachments/20210309/53547919/attachment.asc>

More information about the openid-specs-rande mailing list