1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

how should the OP behave when a claim is requested but not understood

Issue #1115 resolved
Victor Herraiz created an issue

Currently the spec. says that any member in a claim request that is not understood should not fail, does the same answer apply to a claim?

For example:

{
  "id_token": {
    "some_unknown_claim": { "essential": true }
  }
}

Is the final decision about the behaviour an OP responsibility? (e.g. fail, only omit the claim…)

Comments (9)

  2. Michael Jones

    Yes. The OP should never fail a request simply because it doesn’t have a claim (or because it doesn’t have user permission to release the claim value).

  3. Victor Herraiz reporter

    Is there any place in the documentation that specified this behaviour?

    In our use case, we do not want to release partial (a subset of the claims requested by the RP) information. For our RP partial information is not useful. If we add a member in the claim request to specify that this claim is “required” and fail if the OP supply it, are we breaking any OpenID rules? could our OP implementation be certified?

  6. Michael Jones
    • changed milestone to Errata
    • changed component to Core

    There are lots of statements in the spec about omitting requested claims, including this one “For privacy reasons, OpenID Providers MAY elect to not return values for some requested Claims“. However, it would probably be helpful if we were to include a more direct and general statement.

    I propose adding this clarifying sentence to the end of that paragraph: “It is not an error condition to not return a requested claim.“

  10. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Core
Milestone
Errata
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!