1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Core 5.6.2 - not clear behavior for distributed claims source if not all claims present

Issue #1117 resolved
Pawel Kowalik created an issue

Hi,

For Aggregated Claims there is a clear language saying

… that MUST contain all the Claims in the _claim_names object that references the corresponding _claim_sources member.

For Distributed Claims there is no such language, leaving the interpretation open what is the correct expectation. Is it an allowed behavior, that the claims source may not return some of the claims referenced in _claim_names ? In case the system is distributed, IdP may not know whether claim source always contains all the claims (at least not without any back channel).

According to 5.3.2 it is suggested that the claims may be omitted, also discouraging usage of null as a potential substitute for missing values.

For privacy reasons, OpenID Providers MAY elect to not return values for some requested Claims.

If a Claim is not returned, that Claim Name SHOULD be omitted from the JSON object representing the Claims; it SHOULD NOT be present with a null or empty string value.

The question appeared in the context of a certified RP client library for JavaScript “node openid-client”: https://github.com/panva/node-openid-client/issues/197

Thanks,

Pawel

Comments (6)

  2. Michael Jones

    We discussed this on the 24-Oct-19 working group call. The reason that there is no such language for Distributed Claims is that it’s not possibly to know statically what claims will actually be returned by the Distributed Claims providers. As in other cases when a requested claim isn’t returned, this shouldn’t result in an error. Rather, the RP should work with the claims that it actually was able to obtain, like always.

  7. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Component
Core
Milestone
Errata
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!