- changed milestone to Implementer's Draft 4
Missing clarity in Section 5.3
I think that Section 5.3 needs more clarity. It currently reads:
5.3. verified_claims Delivery
OPs can deliver verified_claims in various ways.
A verified_claims element can be added to an OpenID Connect UserInfo response or an ID Token.
OAuth Authorization Servers can add verified_claims to access tokens in JWT format or Token Introspection responses, either in plain JSON or JWT-protected format.
An OP or AS MAY also include verified_claims in the beforementioned assertions as aggregated or distributed Claims (see Section 5.6.2 of the OpenID Connect specification [OpenID]).
In this case, every assertion provided by the external Claims source MUST contain
an iss Claim identifying the claims source,
a sub Claim identifying the End-User in the context of the claim source,
a verified_claims element containing one or more verified_claims objects.
The verified_claims element in a response MUST have one of the following forms:
a JSON string referring to a certain claim source (as defined in [OpenID])
a JSON array of strings referring to the different claim sources
a JSON object composed of sub elements formated with the syntax as defined for requesting verified_claims where the name of the object is the name of the respective claim source. Every object contains additional information about the verified_claims object provided by the respective claims source, i.e., the End-User Claims and verification data provided by the respective claims source. This allows the RP to look ahead before it actually requests distributed Claims in order to prevent extra time, cost, data collisions, etc. caused by these requests.
Questions:
- Which case does “In this case” refer to? Only the last one?
- Which case does “The verified_claims element in a response” refer to? EVERY response? If yes, then why doesn’t it list the cases where no aggregated or distributed claims are used?
- I found the last point not clear enough. What is the name of the object? (I can guess from the example, but this really needs a more precise definition.)
Comments (4)
-
-
Which case does “In this case” refer to? Only the last one?
aggregated or distributed Claims
re 2: it’s all about distributed and aggregated claims
re 3: I agree.
-
PR #117 raised to address this issue
-
- changed status to resolved
resolver by PR #117
- Log in to comment