> 29 aug. 2017 kl. 11:29 skrev Bhathiya Jayasekara <tobhathi...@gmail.com>: > > Hi Roland/John, > > On Tue, Aug 29, 2017 at 1:55 PM, Roland Hedberg <rol...@catalogix.se> wrote: > > > On Aug 8, 2017 7:49 AM, "Hasini Witharana" <hasinidila...@gmail.com> wrote: > > Hi, > > > > Currently I am working with OpenID Connect Certification basic profile. In > > the OP, I have configured some claims to be gained when the scope is > > openid. When I send a authorization request with an essential claim I will > > get all claims for openid and the essential claim. In the specifications > > there is no, rule as It should return only the essential claim. > > "OP-claims-essential" test is failing because unexpected claims are > > returned. Can you please clarify this issue? > > Must be my long vacation :-) but I’m not sure I understand what you’re saying > here. > This is my interpretation. > > 1) you have an OP that returns a set of claims when the scope is ’openid’. > As John said that set should only be ’subject’ and ’issuer’. > > Does the spec explicitely say so (i.e. the 'only' part)? I couldn't find so > anywhere. Would you mind pointing out where it is?
OK, so I’m just back from a loooong vacation :-) The ’only’ part was a bit overstated. There are two places where you can get back claims, in the ID token or from the Userinfo endpoint. Regarding the ID token there are a number of claims that are required among them ’iss’ and ’sub’. For the Userinfo response the only claim that MUST be there is ’sub’. To summarize; the standard specifies a number of claims that MUST be present in a compliant response but it says nothing about which other claims that may be returned. GDPR on the other hand does. > Thanks and regards, > Bhathiya > > > 2) You run the ’OP-claims-essential’ test using the OpenID test tool. > This will send an authorization request including one essential claim (’name’) > > So, you should expect to get back ’subject’, ’issuer’ and ’name’. > > Now, You say that the test fails due to ’unexpected claims’ being returned. > This means your OP returns more claims then these three. > I don’t know what the extra claims are but as John and Nat has pointed out > your OP MUST not return > claims that are not asked for. > > If my interpretation is right the test tool does exactly what it should. > > -- Roland > "Education is the path from cocky ignorance to miserable uncertainty.” - Mark > Twain > > > > > _______________________________________________ > specs mailing list > sp...@lists.openid.net > http://lists.openid.net/mailman/listinfo/openid-specs > > -- Roland "Education is the path from cocky ignorance to miserable uncertainty.” - Mark Twain _______________________________________________ specs mailing list sp...@lists.openid.net http://lists.openid.net/mailman/listinfo/openid-specs
