[WG-OTTO] signaling attribute requirements for OIDC

Mike Schwartz mike at gluu.org
Mon Aug 31 10:41:00 CDT 2015


Roland,

I see your point, but this happens post-authorization. There is no RP 
discovery, so there is no way for the OP to know ahead of time what 
claims are required by the RP. As trust is still explicit (even if 
dynamic registration enables the client to obtain credentials 
automatically), I still see the potential for friction.

- Mike



> OIDC allows a RP to specify which claims it wants returned and also if
> you want them in the ID token or as part
> of the user info. All using the claims request parameter
> (http://openid.net/specs/openid-connect-core-1_0.html#Claims) .
> This means you can go way beyond the standard scopes.
> 
> Now, all implementor may not have implemented this but it’s in the 
> standard.
> 
> — Roland
> 'Look, that's why there's rules, understand? So that you think before
> you break ’em.’ - Terry Pratchett

-- 
-------------------------------------
Michael Schwartz
Gluu
Founder / CEO
mike at gluu.org


More information about the WG-OTTO mailing list