[OpenID] claims vs scopes vs extra
3 views
Skip to first unread message
Paul Hethmon
May 3, 2016, 5:30:20 PM5/3/16
to openid-...@lists.openid.net
In doing some of my final testing prior to certification I’ve come across one behavior of the certification tool that puzzles me. Specifically in regards to the response content to the UserInfo endpoint. It’s very clear from the specification that if I request a particular scope, what standard claims should be returned. Likewise, if a specific claim is requested then that claim is to be returned. Any extra claims about the user also would not be returned.
However, just in my coding, I had my UserInfo endpoint always include a few claims that are more “metadata”:
aud
iat
exp
iss
For the certification tool, it’s happy with the Scope tests returning these claims. But its not happy when they are returned via the “essential claim” test. So to me that appears inconsistent in behavior. After figuring this out, I went reading through the core document and couldn’t find an answer either way. There is a reference in 5.3.2 that the response SHOULD contain iss and aud if it is signed or encrypted. I’m not actually doing either (yet).
I can’t find a reason (or remember one) for including iat and exp in the UserInfo response. I’m thinking I must have done it from a cut/paste code perspective.
So, some specific questions:
1. Should iat or exp every be included in a UserInfo response? I am thinking they don’t make sense.
2. Should the certification tool care or not care about extra claims?
thanks,
Paul
-----
Paul Hethmon
Chief Software Architect
paul.h...@clareitysecurity.com
_______________________________________________
general mailing list
gen...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
However, just in my coding, I had my UserInfo endpoint always include a few claims that are more “metadata”:
aud
iat
exp
iss
For the certification tool, it’s happy with the Scope tests returning these claims. But its not happy when they are returned via the “essential claim” test. So to me that appears inconsistent in behavior. After figuring this out, I went reading through the core document and couldn’t find an answer either way. There is a reference in 5.3.2 that the response SHOULD contain iss and aud if it is signed or encrypted. I’m not actually doing either (yet).
I can’t find a reason (or remember one) for including iat and exp in the UserInfo response. I’m thinking I must have done it from a cut/paste code perspective.
So, some specific questions:
1. Should iat or exp every be included in a UserInfo response? I am thinking they don’t make sense.
2. Should the certification tool care or not care about extra claims?
thanks,
Paul
-----
Paul Hethmon
Chief Software Architect
paul.h...@clareitysecurity.com
_______________________________________________
general mailing list
gen...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general
John Bradley
May 3, 2016, 6:33:02 PM5/3/16
to Paul Hethmon, openid-...@lists.openid.net
There is a specific interop Google Group/list https://groups.google.com/forum/#!forum/openid-connect-interop
That is the best place to discuss bugs in the tests.
Those claims make the most sense if the response is signed. However they should not cause a fail if unsigned.
I suspect that you are the only person returning those so it is probably a bug in the test. Contact the list and we will try and get it sorted out.
Regards
John B.
Reply all
Reply to author
Forward
0 new messages