<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Paul,<div class=""><br class=""></div><div class="">I think you can safely assume that most OIDC/OAuth2 implementations will have absolute no clue as to</div><div class="">what eduperson_entitlement is and what kind of values it holds.</div><div class=""><br class=""></div><div class="">They will probably know about attributes like email because that’s in the OIDC core document list of standard </div><div class="">attributes. Anything outside that list will be unknown territory.</div><div class=""><br class=""></div><div class="">This means that anything goes. To the OIDC software it will not matter if it’s a single string or a list of strings.</div><div class="">It will just accept it and hope that someone higher up will know what to do with it.</div><div class=""><br class=""></div><div class="">So for the application that uses the OIDC software it’s a whole other ball game. It will know about eduperson_entitlement </div><div class="">and if so MUST be able to deal with getting a string or a list of string as values of the attribute.</div><div class="">But since you are in control of the application/application software that shouldn’t be a problem.</div><div class=""><div><br class=""></div><div>As an aside the OIDC implementation I know about all accept a string or a list of strings when the value of an attribute is</div><div>defined to be an array of strings.So your example with ‘aud' is in my experience not a problem.</div><div><br class=""></div><div><blockquote type="cite" class=""><div class="">On 24 Feb 2021, at 12:14, Paul Millar <<a href="mailto:paul.millar@desy.de" class="">paul.millar@desy.de</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">Hi,<br class=""><br class="">I'm writing here because Niels van Dijk suggested this might be the correct forum to record this information.<br class=""><br class="">I was looking at the white paper on how to map SAML attributes to OIDC claims:<br class=""><br class=""> <a href="https://daasi.de/pub/20181011-OIDC-WP.pdf" class="">https://daasi.de/pub/20181011-OIDC-WP.pdf</a><br class=""><br class="">One thing I noticed was that, under the "Advanced profile" section, the above document describes how an attribute's _name_ is mapped to a corresponding OIDC claim name, but doesn't seem to describe how an attribute's _value_ is mapped.<br class=""><br class="">My particular interest was in understanding how eduPersonEntitlement was being mapped to "eduperson_entitlement" claim. In particular, if the IdP assertion contains only one eduPersonEntitlement attribute would a JSON String (rather than a JSON Array of JSON String) be valid?<br class=""><br class="">As a concrete example, would this be a valid response from the user-info endpoint:<br class=""><br class=""> {<br class=""> "sub": "00112233445566778899aabbccddeeff",<br class=""> "eduperson_entitlement": "urn:<a href="http://example.org" class="">example.org</a>:foo",<br class=""> ...<br class=""> }<br class=""><br class="">or must it always be represented as a JSON Array:<br class=""><br class=""><br class=""> {<br class=""> "sub": "00112233445566778899aabbccddeeff",<br class=""> "eduperson_entitlement": [<br class=""> "urn:<a href="http://example.org" class="">example.org</a>:foo"<br class=""> ],<br class=""> ...<br class=""> }<br class=""><br class="">As motivation, there are other OIDC claims that have a string-or-array-of-strings value; e.g., in RFC7519 "aud" claim value is defined as an array of StringOrURI values, but the value MAY be a single JSON-String if the audience is single-valued.<br class=""><br class="">I understand that the working group that came up with the white paper is no longer operating; however, I wanted to give some feedback about a potential ambiguity so that other REFEDS groups might consider this in any future version of this (or similar) document.<br class=""><br class="">Cheers,<br class="">Paul.<br class="">-- <br class="">openid-specs-rande mailing list<br class=""><a href="mailto:openid-specs-rande@lists.openid.net" class="">openid-specs-rande@lists.openid.net</a><br class="">http://lists.openid.net/mailman/listinfo/openid-specs-rande<br class=""></div></div></blockquote></div><br class=""><div class="">
<div dir="auto" style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">— Roland</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;"><br class=""></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; text-decoration: none;">Were it left to me to decide whether we should have a government without newspapers, or newspapers without a government, I should not hesitate a moment to prefer the latter. -Thomas Jefferson, third US president, architect, and author (1743-1826) </div></div>
</div>
<br class=""></div></body></html>