How to treat unknown identifiers in claims parameter

Issue #1094 closed
Torsten Lodderstedt created an issue

The RP might use identifiers for trust frameworks, id documents or verification methods that the OP does not understand. What is the best way to cope with such a situation?

  • ignore the error and provide the RP with what is available
  • refuse the request with an error

Comments (6)

  1. Michael Jones

    For extensibility, we typically say that fields that are not understood MUST be ignored. That way new things can be added without breaking existing deployments.

    Of course, if a field is required and must be understood to meet the use case requirements, then it’s reasonable to return an appropriate error if the required field is present but the value isn’t understood. This kind of handling might be appropriate for the requested trust framework parameter.

  2. gffletch

    By default today, IDP’s would ignore anything they don’t understand. The question is, should we add a “must understand” concept / qualifier to section 5.5.1 of the OpenID Connect spec.

  3. Víctor Herraiz Posada

    In our implementation we have to provide a way to force the OP to understand some claims. We do not want to release partial or invalid information to RP, those responses are not valid for the RP and there is no point to provide user info that is not going to be use. At the moment we are thinking on `“must_understand”: true` member at claim level. Extending “crit” could be a little difficult for claims in my opinion.

  4. Log in to comment