On Friday, August 11, 2017, Omindu Rathnaweera <omi...@wso2.com> wrote:

> On Thu, Aug 10, 2017 at 5:15 PM, Hasini Witharana <hasi...@wso2.com
> <javascript:_e(%7B%7D,'cvml','hasi...@wso2.com');>> wrote:
>> Hi,
>> Currently I am working on making WSO2 IS OpenID Connect certified. I ran
>> a test on requesting essential claims from OP, when the scope is openid. It
>> gave an error saying unexpected claims returned.
> This is not an error, but a warning correct ?
>> Then I inquired about this issue through the mailing list of OIDC
>> specifications [1]. I got some information from that as openid scope
>> should only return subject and issuer.
>> IS 5.4.0 is supporting many claims for scope openid. They are :
>>               sub,email,email_verified,name,
>> family_name,given_name,middle_name,nickname,
>>               preferred_username,profile,pic
>> ture,website,gender,birthdate,zoneinfo,locale,
>>               phone_number,phone_number_veri
>> fied,address,street,updated_at
>> I couldn't find In the OIDC specification where it mention that, openid
>> scope should only return subject and issuer.
> AFAIK, the spec has not specifically mentioned about what we should return
> for the openid scope and it only mentions about the what should be returned
> for the default 4 scopes. However it is understandable that the test client
> expects a minimum set of claims when having only the openid scope. If an RP
> needs additional claims, it should request them with specifying additional
> scopes and/or essential claims. So I think the correct behavior would be to
> return only a minimal set of claims for the openid scope.

Since the spec hasn't specifed this minimal set of claims one can argue
that it is something specific to an RP. This is how our current
implementation works as well. Although we could define a set of claim bound
to the 'openid' scope, the service provider could control what it needs
from the claims bound to openid scope by using requested claims

Changing 'openid' scope to return issuer and sub claims only will be a
breaking change for many existing providers who rely on the additional
claims (some of them could be mandatory in PoV of the RP)

IMO, if the spec doesn't mandate what should be returned for openid scope
then we can keep our existing implementation as it is.

>> Can you please help me on this issue?
>> Thank you.
>> [1] - http://lists.openid.net/pipermail/openid-specs/2017-August/
>> subject.html
>> --
>> *Hasini Witharana*
>> Software Engineering Intern | WSO2
>> *Email : hasi...@wso2.com
>> <javascript:_e(%7B%7D,'cvml','hasi...@wso2.com');>*
>> *Mobile : +94713850143 <+94%2071%20385%200143>[image:
>> http://wso2.com/signature] <http://wso2.com/signature>*
> Regards,
> Omindu.
> --
> Omindu Rathnaweera
> Senior Software Engineer, WSO2 Inc.
> Mobile: +94 771 197 211

Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: +94777603866
Blog: blog.farazath.com
Twitter: @farazath619 <https://twitter.com/farazath619>
Dev mailing list

Reply via email to