- changed milestone to Implementer's Draft
- changed component to Messages
-
assigned issue to
Messages - "sub" can be returned in Distributed UserInfo ?
When a RP is given an UserInfo including a token for Distributed clams stored in CP's UserInfo, "sub" can be returned in JWT?
"sub" may be PPID for CP and I think it should not be distributed to another party except the OP.
Is there any way for CP to know if the UserInfo access_token is for distributed claims or normal ?
Comments (3)
-
-
reporter Typical case may be the one where both a client and a claim provider are RPs of an OP. When my identifiers are PPIDs, I think that a client should not know my PPID in a claim provider.
I think that, if the meta information of the access token tells that the request is distributed one, a claim provider may be able to disclose the PPID of user. Meta information can be provided as assertion tokens(JWT), or introspected at some issuer(OP)'s endpoints.
-
- changed status to resolved
Fixed
#805- Placed requirements on use of the "sub" Claim when Aggregated Claims and Distributed Claims are used, to prevent unintended correlations.→ <<cset 1d2f56573ede>>
- Log in to comment
We will say that a "sub" claim should not be present in an aggregated claims set. However, in the distributed claims case there isn't an actual problem because the claims are returned directly to the RP. However, if a subject isn't needed, it shouldn't be provided. We will need to write more down about how to protect pseudonomy for the cases where that's a goal.