Extra claims from a claims provider
Issue #1050
resolved
In section 5.6.2.2 in the example src1 is defined to return 2 claims (payment_info and shipping_address). This even though the example stipulates that src1 has 3 claims (shipping_address, payment_info and phone_number). This brings up the question about what to do if a claims provider returns more claims then listed in the response from the OpenID Provider. Are the RP expected to ignore the extra claims ? Or just add them to the original response ?
Comments (6)
-
-
- changed status to open
-
-
assigned issue to
Michael Jones
The intent was to ignore them. We can say that explicitly.
-
assigned issue to
-
Moving this up. May have an impact to claims aggregation.
-
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/595
-
- changed status to resolved
- Log in to comment
My suggestion is to ignore them.
The OpenID Provider is responsible for managing the distribution, and thus might have decided that phone_number from src1 is not reliable, and so delivers no pointer to it in its UserInfo Response. It might even be that the OpenID Provider doesn't want to disclose a value for that claim, though it was requested (s. section 5.3.2 "For privacy reasons, OpenID Providers MAY elect to not return values for some requested Claims."). It'd subvert all decisions of the Provider if "extra claims" coming from the Claims Provider are considered. It might become a privacy and even security issue. Thus ignore.