Hi Hasini,
> IMO, if the spec doesn't mandate what should be returned for openid scope > then we can keep our existing implementation as it is +1. If we change this behavior it will break the existing scenarios of our product users. AFAIR we discussed this in past as well once we run the certification for basic and implicit profiles. According to the test client it gives a warning as the server returns some unexpected claims. IS 5.4.0 is supporting many claims for scope openid. They are : > sub,email,email_verified,name,family_name,given_name,middle_ > name,nickname, > > preferred_username,profile,picture,website,gender,birthdate,zoneinfo,locale, > > phone_number,phone_number_verified,address,street,updated_at > Yes in IS 5.4.0 it will return all those claims as we have defined all these claims under openid scope inside the registry by default. So our conclusion from the previous discussions was to handle such test case specific scenarios by changing the defined claims for the openid scope accordingly in the registry. If the users wish to get minimum number of claims with the scope 'openid' they need to define those claims in the registry by changing the default configurations. Thanks, Hasanthi Dissanayake Software Engineer | WSO2 E: [email protected] M :0718407133| http://wso2.com <http://wso2.com/> On Fri, Aug 11, 2017 at 10:13 AM, Farasath Ahamed <[email protected]> wrote: > > > On Friday, August 11, 2017, Omindu Rathnaweera <[email protected]> wrote: > >> >> >> On Thu, Aug 10, 2017 at 5:15 PM, Hasini Witharana <[email protected]> >> wrote: >> >>> Hi, >>> >>> Currently I am working on making WSO2 IS OpenID Connect certified. I ran >>> a test on requesting essential claims from OP, when the scope is openid. It >>> gave an error saying unexpected claims returned. >>> >> >> This is not an error, but a warning correct ? >> >> >>> Then I inquired about this issue through the mailing list of OIDC >>> specifications [1]. I got some information from that as openid scope >>> should only return subject and issuer. >>> >>> IS 5.4.0 is supporting many claims for scope openid. They are : >>> sub,email,email_verified,name, >>> family_name,given_name,middle_name,nickname, >>> preferred_username,profile,pic >>> ture,website,gender,birthdate,zoneinfo,locale, >>> phone_number,phone_number_veri >>> fied,address,street,updated_at >>> >>> I couldn't find In the OIDC specification where it mention that, openid >>> scope should only return subject and issuer. >>> >> >> AFAIK, the spec has not specifically mentioned about what we should >> return for the openid scope and it only mentions about the what should be >> returned for the default 4 scopes. However it is understandable that the >> test client expects a minimum set of claims when having only the openid >> scope. If an RP needs additional claims, it should request them with >> specifying additional scopes and/or essential claims. So I think the >> correct behavior would be to return only a minimal set of claims for the >> openid scope. >> > > Since the spec hasn't specifed this minimal set of claims one can argue > that it is something specific to an RP. This is how our current > implementation works as well. Although we could define a set of claim bound > to the 'openid' scope, the service provider could control what it needs > from the claims bound to openid scope by using requested claims > configuration. > > Changing 'openid' scope to return issuer and sub claims only will be a > breaking change for many existing providers who rely on the additional > claims (some of them could be mandatory in PoV of the RP) > > IMO, if the spec doesn't mandate what should be returned for openid scope > then we can keep our existing implementation as it is. > > >> >>> Can you please help me on this issue? >>> >>> Thank you. >>> >>> >>> [1] - http://lists.openid.net/pipermail/openid-specs/2017-August/s >>> ubject.html >>> >>> -- >>> >>> *Hasini Witharana* >>> Software Engineering Intern | WSO2 >>> >>> >>> *Email : [email protected]* >>> >>> *Mobile : +94713850143 <+94%2071%20385%200143>[image: >>> http://wso2.com/signature] <http://wso2.com/signature>* >>> >> >> >> Regards, >> Omindu. >> >> -- >> Omindu Rathnaweera >> Senior Software Engineer, WSO2 Inc. >> Mobile: +94 771 197 211 <+94%2077%20119%207211> >> > > > -- > Farasath Ahamed > Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
