- changed title to certification: is returning an empty address object permitted
certification: is returning an empty address object permitted
Issue #1146
resolved
We’ve run into a case where a user info response is returned with an empty address object, i.e.
{
"sub": "znvZXyc-Rdv_vCf6DS1taj0Oc98uERaDjdbsBCraYRA",
"@odata.context": "https://graph.microsoft.com/v2/66522826-e2e1-4cd9-82f5-6222397816bb/$metadata#directoryObjects/$entity",
"@odata.type": "#Microsoft.DirectoryServices.UserInfo",
"@odata.id": "https://graph.microsoft.com/v2/66522826-e2e1-4cd9-82f5-6222397816bb/directoryObjects/8dd678ce-eef8-4a6a-bf16-87b8da5f05e9/Microsoft.DirectoryServices.UserInfo",
"id": "8dd678ce-eef8-4a6a-bf16-87b8da5f05e9",
"name": "Manju",
"address": {},
"picture": "https://graph.microsoft.com/v1.0/me/photo/$value"
}
(In this particular case the authorization request was:
)
https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims says:
Address. Json Object. End-User's preferred postal address. The value of the address member is a JSON [RFC4627] structure containing some or all of the members defined in Section 5.1.1.
and:
The Address Claim represents a physical mailing address. Implementations MAY return only a subset of the fields of an
address, depending upon the information available and the End-User's privacy preferences. For example, thecountryandregionmight be returned without returning more fine-grained address information.Implementations MAY return just the full address as a single string in the formatted sub-field, or they MAY return just the individual component fields using the other sub-fields, or they MAY return both. If both variants are returned, they SHOULD be describing the same address, with the formatted address indicating how the component fields are combined.
The general language here (“containing some”, “subset of the fields”) makes me read this as requiring that the dictionary will always contain at least one element if present.
Clarification from the working group would be appreciated; I think the choices are:
- The spec requires address to be non empty if present => certification fails
- The spec recommends address is non-empty if present => certification passes, but warning issued by test tool
- An empty address object is absolutely acceptable => certification passes (and possibly spec language should be clarified)
My understanding is the current python tests don’t check for this scenario.
Comments (7)
-
reporter
-
We discussed this on the 6-Jan-20 working group call. It’s fine for the certification suite to flag the claim
"address": {}as an error. -
Joseph, is the new certification code handling this condition? If so, we can close this issue.
-
- changed status to open
-
-
assigned issue to
Michael Jones
-
assigned issue to
-
reporter
Yes, the java userinfo tests flag
"address" : {}as an error now (rather than throwing an exception as they did previously). -
- changed status to resolved
Closing based on @Joseph Heenan 's resolution in the certification suite.
Also note that this statement in https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse supports this view:
If a Claim is not returned, that Claim Name SHOULD be omitted from the JSON object representing the Claims; it SHOULD NOT be present with a null or empty string value.
- Log in to comment
