- edited description
how should the OP behave when a claim is requested but not understood
Currently the spec. says that any member in a claim request that is not understood should not fail, does the same answer apply to a claim?
For example:
{
"id_token": {
"some_unknown_claim": { "essential": true }
}
}
Is the final decision about the behaviour an OP responsibility? (e.g. fail, only omit the claim…)
Comments (9)
-
reporter -
- changed status to resolved
Yes. The OP should never fail a request simply because it doesn’t have a claim (or because it doesn’t have user permission to release the claim value).
-
reporter Is there any place in the documentation that specified this behaviour?
In our use case, we do not want to release partial (a subset of the claims requested by the RP) information. For our RP partial information is not useful. If we add a member in the claim request to specify that this claim is “required” and fail if the OP supply it, are we breaking any OpenID rules? could our OP implementation be certified?
-
reporter - changed status to open
I would like the answer point to the documentation.
-
-
assigned issue to
-
assigned issue to
-
There are lots of statements in the spec about omitting requested claims, including this one “For privacy reasons, OpenID Providers MAY elect to not return values for some requested Claims“. However, it would probably be helpful if we were to include a more direct and general statement.
I propose adding this clarifying sentence to the end of that paragraph: “It is not an error condition to not return a requested claim.“
-
Issue
#1141was marked as a duplicate of this issue. -
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/581
-
- changed status to resolved
- Log in to comment