- changed status to resolved
Expected behaviour of OP when don't have a requested claim
Issue #1111
resolved
In OpenID Connect in for example “Authentication using the Authorization Code Flow“ what is the expected behaviour of the OP when a RP make a request for claims that OP don't know/have about an user, should return an error? should return a empty id token? When talk about empty i mean a id token just with a sub and no additional customer claims.
Thanks!
Comments (2)
-
-
reporter
Great, thanks!
- Log in to comment
When an OP doesn’t have a requested claim or there isn’t permission to release it, it is to be omitted from the response. This is described at https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse, which says “If a Claim is not returned, that Claim Name SHOULD be omitted from the JSON object representing the Claims; it SHOULD NOT be present with a null or empty string value.“