Clarify what the IDP MUST/SHOULD/MAY send in verification data.
Issue #1201
resolved
We currently say:
The RP MUST explicitly request any data it wants the OP to add to the
verification
element.
We do not say that the IDP MUST only send data if it was requested by the RP.
Do we want to say that?
If so, we also need to take a look at this example, where the IDP delivers much more verification data than requested: https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#section-6.5.1
(possibly other examples as well)
Comments (3)
-
-
- changed status to open
please have a look onto #33
-
- changed status to resolved
Resolved and merged as part of PR#33
- Log in to comment
+1 for the following reasons: