5.3.2 (te) `uid` and `cp_sub` should not be here but to the requast to the claims endpoint (possibly)

Issue #1233 open
Nat Sakimura created an issue


uid and cp_sub is not supposed to be in this section. The OP has no way of specifying it at this point which is in the setup process. It can only do so in the request to the claims endpoint.


Remove the following:

and defines the following new Claims in addition to the Claims defined in the OpenID Connect specification OpenID Connect 1.0 OIDC:

  • uid string The value is the base64url encoded representation of the thumbprint of the Client's public key for signing. This thumbprint value is computed as the SHA-256 hash of the octets of the UTF-8 representation of a JWK constructed containing only the REQUIRED members to represent the key, with the member names sorted into lexicographic order, and with no white space or line breaks. For instance, when the kty value is RSA, the member names e, kty, and n are the ones present in the constructed JWK used in the thumbprint computation and appear in that order; when the kty value is EC, the member names crv, kty, x, and y are present in that order. Note that this thumbprint calculation is the same as that defined in the JWK Thumbprint [JWK.Thumbprint] specification.
  • cp_sub string The Claim Providers sub identifier for the authenticated user

Additionally, change the uid line in 5.4.1 to:

  • uid Optional String The value of sub claim that the OP will use in the authentication response to the RP. It is used to bind the claims returned from the CP to the authentication response by the OP. If this parameter is not supplied, the uid claims value MUST be supplied in the claims parameter.

Comments (2)

  1. Log in to comment