-
assigned issue to
SIOPv2 - Clause 5 - Para 1 - Last sentence: "The ID Token MAY include claims about the End-User."
ID Tokens always include claims about the End-User. All of the following are REQUIRED claim in ID Token.
- iss
- sub
- aud
- exp
- iat
ID Token can obviously include other claims as well. So, I am not sure why this normative MAY is here. It probably just suffice to note that it is possible to include other claims, including ecosystem defined claims, in the ID Token and just refer Section 2 of OIDC Core.
Comments (6)
-
-
The distinction in the text is between claims about the authentication event for the End-User (the ones Nat cites above, which are normal ID Token claims), and claims actually about the End-User, which are defined at https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims and normally returned from the UserInfo Endpoint.
-
the sub claim is in the list of standard claims and is in the id-token. thus id-tokens always contain at least one standard claim about the end user. Therefore MAY is wrong.
-
David is technically correct that
sub
is a claim about the End-User but as the terms “claims about the Authentication event” and "claims about the End-User” are used in OpenID Connect Core,sub
is in the group of claims about the Authentication event. For security reasons, it's required to appear in both the ID Token and the UserInfo response.The current wording is consistent with OpenID Connect Core. If we want to be pedantic, we could change the wording to “The ID Token always includes claims about the Authentication event and MAY also include additional claims about the End-User“.
-
Yes I think it would be good to be pedantic and use the revised wording. It clarifies any misunderstanding that could be generated by the original wording (as this issue has revealed).
-
- changed status to resolved
Fixed by PR #125
- Log in to comment
Mike will review prior to the beginning of the official Implementer’s Draft voting period.