In doing some of my final testing prior to certification I’ve come across one behavior of the certification tool that puzzles me. Specifically in regards to the response content to the UserInfo endpoint. It’s very clear from the specification that if I request a particular scope, what standard claims should be returned. Likewise, if a specific claim is requested then that claim is to be returned. Any extra claims about the user also would not be returned.
However, just in my coding, I had my UserInfo endpoint always include a few claims that are more “metadata”:
aud
iat
exp
iss
For the certification tool, it’s happy with the Scope tests returning these claims. But its not happy when they are returned via the “essential claim” test. So to me that appears inconsistent in behavior. After figuring this out, I went reading through the core document and couldn’t find an answer either way. There is a reference in 5.3.2 that the response SHOULD contain iss and aud if it is signed or encrypted. I’m not actually doing either (yet).
I can’t find a reason (or remember one) for including iat and exp in the UserInfo response. I’m thinking I must have done it from a cut/paste code perspective.
So, some specific questions:
1. Should iat or exp every be included in a UserInfo response? I am thinking they don’t make sense.
2. Should the certification tool care or not care about extra claims?
thanks,
Paul
-----
Paul Hethmon
Chief Software Architect
paul.h...@clareitysecurity.com
_______________________________________________
general mailing list
gen...@lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-general