SIOPv2 - Clause 5 - Para 1 - Last sentence: "The ID Token MAY include claims about the End-User."

Comments (6)

1. 

   Kristina Yasuda

   • assigned issue to
     
     Michael Jones

   Mike will review prior to the beginning of the official Implementer’s Draft voting period.

   • 2022-01-22T01:18:44+00:00
2. 

   Michael Jones

   The distinction in the text is between claims about the authentication event for the End-User (the ones Nat cites above, which are normal ID Token claims), and claims actually about the End-User, which are defined at https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims and normally returned from the UserInfo Endpoint.

   • 2022-02-10T06:12:03+00:00
3. 

   David W Chadwick

   the sub claim is in the list of standard claims and is in the id-token. thus id-tokens always contain at least one standard claim about the end user. Therefore MAY is wrong.

   • 2022-02-10T08:58:24+00:00
4. 

   Michael Jones

   David is technically correct that sub is a claim about the End-User but as the terms “claims about the Authentication event” and "claims about the End-User” are used in OpenID Connect Core, sub is in the group of claims about the Authentication event. For security reasons, it's required to appear in both the ID Token and the UserInfo response.

   The current wording is consistent with OpenID Connect Core. If we want to be pedantic, we could change the wording to “The ID Token always includes claims about the Authentication event and MAY also include additional claims about the End-User“.

   • 2022-02-10T20:06:04+00:00
5. 

   David W Chadwick

   Yes I think it would be good to be pedantic and use the revised wording. It clarifies any misunderstanding that could be generated by the original wording (as this issue has revealed).

   • 2022-02-11T08:58:06+00:00
6. 

   Michael Jones

   • changed status to resolved

   Fixed by PR #125

   • 2022-02-12T20:03:57+00:00
7. Log in to comment