- edited description
What happens if a verified_claims claim is requested that is not known to the OP?
E.g.
{
"userinfo":{
"verified_claims":{
"verification": {
"trust_framework": null
},
"claims":{
"NONEXISTING_CLAIM":null,
"ANOTHER_NONEXISTING_CLAIM": { "essential": true },
"COMPLETE $ AND UTTER NONSENSE @?":null
}
}
}
}
Also affects claims that do exist, but are not supported as verified_claims.
Proposal: Ignore these claims in the response.
Comments (6)
-
reporter -
Inline with our recent decisions regarding unknown identifiers and OIDC core, I would expect the OP to return a response but omit the unknown claims. If the claims container would be empty, the OP should omit the verified_claims element. Does this sound reasonable?
-
reporter Sounds good. I’ll prepare a pull request.
-
reporter -
Yep, this is what OIDC core says about “not returned” and “not present” claims:
5.3.2. Successful UserInfo Response
For privacy reasons, OpenID Providers MAY elect to not return values for some requested Claims.
If a Claim is not returned, that Claim Name SHOULD be omitted from the JSON object representing the Claims; it SHOULD NOT be present with a null or empty string value.
and
5.5.1. Individual Claims Requests
By requesting Claims as Essential Claims, the RP indicates to the End-User that releasing these Claims will ensure a smooth authorization for the specific task requested by the End-User. Note that even if the Claims are not available because the End-User did not authorize their release or they are not present, the Authorization Server MUST NOT generate an error when Claims are not returned, whether they are Essential or Voluntary, unless otherwise specified in the description of the specific claim.
-
- changed status to resolved
merged PR
- Log in to comment