On Fri, Aug 11, 2017 at 10:13 AM, Farasath Ahamed <[email protected]> wrote:
> > > On Friday, August 11, 2017, Omindu Rathnaweera <[email protected]> wrote: > >> >> >> On Thu, Aug 10, 2017 at 5:15 PM, Hasini Witharana <[email protected]> >> wrote: >> >>> Hi, >>> >>> Currently I am working on making WSO2 IS OpenID Connect certified. I ran >>> a test on requesting essential claims from OP, when the scope is openid. It >>> gave an error saying unexpected claims returned. >>> >> >> This is not an error, but a warning correct ? >> >> >>> Then I inquired about this issue through the mailing list of OIDC >>> specifications [1]. I got some information from that as openid scope >>> should only return subject and issuer. >>> >>> IS 5.4.0 is supporting many claims for scope openid. They are : >>> sub,email,email_verified,name, >>> family_name,given_name,middle_name,nickname, >>> preferred_username,profile,pic >>> ture,website,gender,birthdate,zoneinfo,locale, >>> phone_number,phone_number_veri >>> fied,address,street,updated_at >>> >>> I couldn't find In the OIDC specification where it mention that, openid >>> scope should only return subject and issuer. >>> >> >> AFAIK, the spec has not specifically mentioned about what we should >> return for the openid scope and it only mentions about the what should be >> returned for the default 4 scopes. However it is understandable that the >> test client expects a minimum set of claims when having only the openid >> scope. If an RP needs additional claims, it should request them with >> specifying additional scopes and/or essential claims. So I think the >> correct behavior would be to return only a minimal set of claims for the >> openid scope. >> > > Since the spec hasn't specifed this minimal set of claims one can argue > that it is something specific to an RP. This is how our current > implementation works as well. Although we could define a set of claim bound > to the 'openid' scope, the service provider could control what it needs > from the claims bound to openid scope by using requested claims > configuration. > > Changing 'openid' scope to return issuer and sub claims only will be a > breaking change for many existing providers who rely on the additional > claims (some of them could be mandatory in PoV of the RP) > > IMO, if the spec doesn't mandate what should be returned for openid scope > then we can keep our existing implementation as it is. > +1 to keep existing claims if it's not a spec violation. Seems like we have defined all the standerd claims mentioned in the spec [1] under our openid scope implemenation. So if someone need to remove some of claims they can remove it from the oidc configurations in the registry. [1] http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims > >> >>> Can you please help me on this issue? >>> >>> Thank you. >>> >>> >>> [1] - http://lists.openid.net/pipermail/openid-specs/2017-August/s >>> ubject.html >>> >>> -- >>> >>> *Hasini Witharana* >>> Software Engineering Intern | WSO2 >>> >>> >>> *Email : [email protected]* >>> >>> *Mobile : +94713850143 <+94%2071%20385%200143>[image: >>> http://wso2.com/signature] <http://wso2.com/signature>* >>> >> >> >> Regards, >> Omindu. >> >> -- >> Omindu Rathnaweera >> Senior Software Engineer, WSO2 Inc. >> Mobile: +94 771 197 211 <+94%2077%20119%207211> >> > > > -- > Farasath Ahamed > Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- *Ashen Weerathunga* Software Engineer WSO2 Inc.: http://wso2.com lean.enterprise.middleware Email: [email protected] Mobile: +94716042995 <94716042995> LinkedIn: *http://lk.linkedin.com/in/ashenweerathunga <http://lk.linkedin.com/in/ashenweerathunga>* <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
