Responses inline…
From: openid-conn...@googlegroups.com [mailto:openid-conn...@googlegroups.com]
On Behalf Of Paul Hethmon
Sent: Wednesday, May 4, 2016 5:49 AM
To: OpenID Connect Interop <openid-conn...@googlegroups.com>
Subject: claims vs scopes vs extra
Note: this is a repost from the openid general list per recommendation.
In doing some of my final testing prior to certification I’ve come across one behavior of the certification tool that puzzles me. Specifically in regards to the
response content to the UserInfo endpoint. It’s very clear from the specification that if I request a particular scope, what standard claims should be returned. Likewise, if a specific claim is requested then that claim is to be returned. Any extra claims
about the user also would not be returned.
Actually, extra claims can be returned at the discretion of the OP at any time.
However, just in my coding, I had my UserInfo endpoint always include a few claims that are more “metadata”:
aud
iat
exp
iss
I would not do this. While allowed, some code may get confused or trigger errors if receiving claims that it expects to be in the ID Token in the UserInfo response. It’s legal, but could reduce interop.
For the certification tool, it’s happy with the Scope tests returning these claims. But its not happy when they are returned via the “essential claim” test. So to me that appears inconsistent in behavior. After figuring this out, I went reading through the
core document and couldn’t find an answer either way. There is a reference in 5.3.2 that the response SHOULD contain iss and aud if it is signed or encrypted. I’m not actually doing either (yet).
I can’t find a reason (or remember one) for including iat and exp in the UserInfo response. I’m thinking I must have done it from a cut/paste code perspective.
Yes, the spec doesn’t ask for this (other than in the Encrypted case).
So, some specific questions:
1. Should iat or exp every be included in a UserInfo response? I am thinking they don’t make sense.
No
2. Should the certification tool care or not care about extra claims?
It should ignore them. If it doesn’t, please file a bug at https://bitbucket.org/openid/certification/issues?status=new&status=open.
thanks,
Paul
Best wishes,
-- Mike
-----
Paul Hethmon
Chief Software Architect
paul.h...@clareitysecurity.com
--
You received this message because you are subscribed to the Google Groups "OpenID Connect Interop" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
openid-connect-in...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.