Requesting sub-claims of address claims
I’ve now been asked multiple times about requesting subclaims of the address claim under verified_claims (e.g. requesting only the country field, not the entire address).
I believe this isn’t currently possible (but please correct me if I’m wrong), but may be possible once we have the advanced syntax for claims spec.
If is not possible, I think we should explicitly call this out. e.g. https://openid.net/specs/openid-connect-4-identity-assurance-1_0.html#section-6.1 currently says:
”Use of the claims
parameter allows the RP to exactly select the Claims about the End-User needed for its use case. This extension therefore allows RPs to fulfill the requirement for data minimization.”
and I think this could have an additional sentence added something along the lines of:
”Note that it is currently only possible to request entire claims, for example there is no syntax that allows only the ‘country’ subclaim of the ‘address’ claim to be returned.”
(If I’m wrong and it is possible, we should add an example.)
Comments (8)
-
reporter -
After internal discussion, we found that the current description of the OIDC4IDA specification can read that it does not require “data minimization for claims”.
For example, when the server has dataset equivalent to the following:
{ "verified_claims": { "verification": { "trust_framework": "nist_800_63A", "time": "2021-06T05:32Z" }, "claims": { "given_name": "Inga", "place_of_birth": { "country": "USA", "region": "CA" }, "address": { "locality": "Shoshone", "country": "USA" } } } }
the request below:
{ "userinfo": { "verified_claims": { "verification": { "trust_framework": null }, "claims": { "given_name": null, "place_of_birth": null, "address": null } } } }
will obtain the following.
{ "verified_claims": { "verification": { "trust_framework": "nist_800_63A" // "time" is not included }, "claims": { "given_name": "Inga", "place_of_birth": { // All available sub-claims are included "country": "USA", "region": "CA" }, "address": { // All available sub-claims are included "locality": Shoshone", "country": "USA" } } } }
That is, the current description of the OIDC4IDA specification can achieve “data minimization for verification” but cannot achieve “data minimization for claims”.
If it meets the intention of the spec authors and the market demands, the current description of the specification can remain as is (still explicit caution for implementers should be added). However, if the spec authors and/or the market demands want "data minimization for claims" in addition to "data minimization for verification", the specification needs to be modified.
-
I think I was asked to give my opinion on this on the latest call. So here it is:
- Having a finer granularity for address and place_of_birth would be nice for this specification.
- I don’t think that that would entail many changes to the spec.
- However, I think that this would be a normative change the we might want to avoid.
- For implementers of OIDC Core, this might be surprising and unusual.
- Since we will be getting this functionality via ASC at some point (hopefully), we don’t need it here.
So I have a tendency towards “let’s not do it” here.
I would love to hear Mike Jones' opinion on this and will ping him!
-
The "claims” syntax allows selection of individual claims but not subsets of data within them. This seems fine to me as-is.
-
Discussion led to features being delivered under the ASC draft but some inprovement to language required in IDA draft to clarify that this capability is not delivered as part of the IDA draft
-
- changed component to Conditional Claims
- changed milestone to ASC ID1
-
Addressed by Transformed claims feature of ASC draft
-
- changed status to resolved
Resolved by the transformed claims feature of ASC draft
- Log in to comment
Taka pointed out to me that the
place_of_birth
claim has the same behaviour, so we may want to mention that too.