- changed title to Core 5.6.2 - not clear behavior for distributed claims source if not all claims present
Core 5.6.2 - not clear behavior for distributed claims source if not all claims present
Hi,
For Aggregated Claims there is a clear language saying
… that MUST contain all the Claims in the
_claim_names
object that references the corresponding_claim_sources
member.
For Distributed Claims there is no such language, leaving the interpretation open what is the correct expectation. Is it an allowed behavior, that the claims source may not return some of the claims referenced in _claim_names
? In case the system is distributed, IdP may not know whether claim source always contains all the claims (at least not without any back channel).
According to 5.3.2 it is suggested that the claims may be omitted, also discouraging usage of null
as a potential substitute for missing values.
For privacy reasons, OpenID Providers MAY elect to not return values for some requested Claims.
If a Claim is not returned, that Claim Name SHOULD be omitted from the JSON object representing the Claims; it SHOULD NOT be present with a null or empty string value.
The question appeared in the context of a certified RP client library for JavaScript “node openid-client”: https://github.com/panva/node-openid-client/issues/197
Thanks,
Pawel
Comments (6)
-
reporter -
-
assigned issue to
- changed milestone to Errata
We discussed this on the 24-Oct-19 working group call. The reason that there is no such language for Distributed Claims is that it’s not possibly to know statically what claims will actually be returned by the Distributed Claims providers. As in other cases when a requested claim isn’t returned, this shouldn’t result in an error. Rather, the RP should work with the claims that it actually was able to obtain, like always.
-
assigned issue to
-
reporter Thanks for the clarification.
-
- changed status to open
-
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/595
-
- changed status to resolved
- Log in to comment