Returning end user claims in id token
Issue #1116
resolved
Hi, while reading the docs from one of the certified products for OpenID (https://www.npmjs.com/package/openid-client)) I have seen that:
"Core 1.0 - Requesting Claims using Scope Values defines that claims requested using the scope parameter are only returned from the UserInfo Endpoint unless the response_type is id_token"
The exactly part in the specification say:
"The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when a response_type value is used that results in an Access Token being issued. However, when no Access Token is issued (which is the case for the response_type value id_token), the resulting Claims are returned in the ID Token."
I'm not sure if that statement means "No put end user claims in id token unless response_type is id_token"...
So my question is, if i use just “code“ as response type in a request like this:
GET /authorize?
response_type=code
&scope=openid email
&client_id=3dfd89e1-964b-4ac4-ba46-977fc5f87db9
&request_uri=http://rp.example.com/request_obj/YTUHYJ6YHGT
Host: op.example.com
Then the id token returned in the /token endpoint (when interchange the code) should have the End-User claims inside (i mean email and email_verified)? or should not contain this claims by specification?
Thanks!
Comments (6)
-
-
are you going to update the documentation to reflect that possibility?
-
Update what documentation?
The Core 1.0 already allows that since
ID Tokens MAY contain other Claims. -
Thanks you so much. My understanding in this case is that the RP has to read the OP documentation to know if the email is going to be include in the id_token even for claims like “email”, am I right?
-
I wouldn’t rely upon OP documentation, since what claims are returned are subject to change. The set returned may be reduced for privacy reasons or increased if new data becomes available to the OP. Rather, I’d write your RP code to look at what claims you’ve received in the ID Token and from the UserInfo Endpoint and use them if needed by your application and if available, or fail gracefully if claims you’d like are not made available to your application.
-
- changed status to resolved
Closing since the question was answered in the comments, per decision on the 10-Oct-19 working group call
- Log in to comment
By the book it would not contain scope requested claims in that id token.
However, returning them is not against the specification and, under pressure from developers consuming OIDC many vendors now return these claims in any id token as well.