"The OP MUST support the claims parameter..."
There is the following statement at the end of the section about OP Metadata
“The OP MUST support the claims
parameter and needs to publish this in its openid-configuration using the claims_parameter_supported
element.“
This precludes use of OIDC4IDA without the claims request parameter which is not the intent.
Comments (4)
-
-
reporter My understanding of the intent arising from previous discussions was that scope based should be permitted but was not really how we envisaged OIDC4IDA should be used for all the privacy preserving reasons that the claims request parameter enables.
The text I quoted above is directly contradicting another statement in the spec near the top of section 6 “Requesting Verified Claims“:
“It is also possible to use the
scope
parameter to request one or more specific pre-defined Claim sets as defined in Section 5.4 of the OpenID Connect specification [OpenID].”There is also section 6.6 “Requesting sets of Claims by scope”
-
reporter - changed status to open
-
reporter - changed status to resolved
Resolved by PR #145
- Log in to comment
If that is not the intent then what is the intended primary way to request verified claims? Scopes? If that’s the case, this option must be made much more prominent.
I think claims should be the primary way to go as it is the most flexible way.
Using scopes will most likely require deployment specific scope values. That requires dedicated setup and, if done in a privacy preserving manner, a couple of scope values. Not sure what this means in terms of interoperability. Do we have implementation experience with this approach?