- changed title to CIBA: Means to request claims to be embedded in the issued ID token
CIBA: Means to request claims to be embedded in the issued ID token
Is there any plan to add request parameters for the backchannel authentication endpoint that can specify claims the client wishes to be embedded in the issued ID token (like the claims
request parameter in OIDC Core)?
In addition, is it okay to assume that profile
, email
, address
and phone
scopes are interpreted in the same way defined in OIDC Core, 5.4. Requesting Claims using Scope Values?
Comments (7)
-
reporter -
We should probably discuss this on the next call (in a few hours).
Yes, it's expected that
profile
,email
,address
andphone
scopes have the same meaning as from OIDC core. And other scope values as defined/used by the AS/OP have the same meaning when used in CIBA as they do in other contexts.There are no current plans for something like the
claims
request parameter from OIDC Core. -
On the 8/23 call there was general consensus that the description of the scope request parameter should be refined to more clearly reflect the fact that it's the requested scope similar to the scope parameter in other OAuth and OIDC requests. And thus allow for profile, email, address and phone scopes values as well as other scope values as defined/used by the AS/OP.
Issue
#108has been submitted to account for the above while this ticket is left open for the WG to consider the question of supporting the claims request parameter from OIDC Core (or something like it) in CIBA. -
-
assigned issue to
-
assigned issue to
-
Discussed during the Nov 13 MODRNA WG call and there was general consensus to not explicitly define the
claims
request parameter for CIBA authentication requests. But to double check that the current langue doesn't preclude extension parameters from being used (such asclaims
but any extension parameter). -
pull request
#47adds a note that an authentication request may contain additional parameters defined by extension or profile. And "OpenID Providers SHOULD ignore unrecognized request parameters." is already in §7.2. Authentication Request Validation. -
- changed status to resolved
The PR relating to this has been merged. I think its a nice compromise to not include the claims param but to prevent it from being used. Thanks to everyone for the many discussions around this topic!
- Log in to comment