Re: [Openid-specs-ab] Essential claims with the scope value openid

2017-08-29 Thread Roland Hedberg 

> On Aug 8, 2017 7:49 AM, "Hasini Witharana"  wrote:
> Hi,
> 
> Currently I am working with OpenID Connect Certification basic profile. In 
> the OP, I have configured some claims to be gained when the scope is openid. 
> When I send a authorization request with  an essential claim I will get all 
> claims for openid and the essential claim. In the specifications there is no, 
> rule as It should return only the essential claim. "OP-claims-essential" test 
> is failing because unexpected claims are returned. Can you please clarify 
> this issue?

Must be my long vacation :-) but I’m not sure I understand what you’re saying 
here.
This is my interpretation.

1) you have an OP that returns a set of claims when the scope is ’openid’.
As John said that set should only be ’subject’ and ’issuer’.

2) You run the ’OP-claims-essential’ test using the OpenID test tool.
This will send an authorization request including one essential claim (’name’)

So, you should expect to get back ’subject’, ’issuer’ and ’name’.

Now, You say that the test fails due to ’unexpected claims’ being returned.
This means your OP returns more claims then these three.
I don’t know what the extra claims are but as John and Nat has pointed out your 
OP MUST not return
claims that are not asked for.

If my interpretation is right the test tool does exactly what it should.

-- Roland
"Education is the path from cocky ignorance to miserable uncertainty.” - Mark 
Twain





signature.asc
Description: Message signed with OpenPGP
___
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs

RE: Essential claims with the scope value openid

2017-08-08 Thread Nat Sakimura 
Right. It is called the principle of PII  collection minimization. It is one
of the main principle of GDPR / ISO 29100. 

 

 

--

PLEASE READ :This e-mail is confidential and intended for the

named recipient only. If you are not an intended recipient,

please notify the sender  and delete this e-mail.

 

From: specs [mailto:openid-specs-boun...@lists.openid.net] On Behalf Of John
Bradley
Sent: Wednesday, August 9, 2017 12:10 AM
To: openid-specs@lists.openid.net
Cc: openid-specs...@lists.openid.net Ab <openid-specs...@lists.openid.net>
Subject: Re: Essential claims with the scope value openid

 

 

One School of thought (GDPR) is that you can only ask for claims that are
required.   That is why it is essential as all are required.  

 

The openID scope should only return subject and issuer.   You need to ask
for the specific claims that you want if you don't want all the claims in a
scope like profile.  

 

So it sounds like a bug in the test.  

 

John B.  

 

On Aug 8, 2017 7:49 AM, "Hasini Witharana" <hasinidila...@gmail.com
<mailto:hasinidila...@gmail.com> > wrote:

Hi,

Currently I am working with OpenID Connect Certification basic profile. In
the OP, I have configured some claims to be gained when the scope is openid.
When I send a authorization request with  an essential claim I will get all
claims for openid and the essential claim. In the specifications there is
no, rule as It should return only the essential claim. "OP-claims-essential"
test is failing because unexpected claims are returned. Can you please
clarify this issue?



-- 

Hasini Witharana

Undergraduate | Department of Computer Science and Engineering

University of Moratuwa

Linkedin <https://www.linkedin.com/in/hasini-witharana-185785109/> 


___
specs mailing list
sp...@lists.openid.net <mailto:sp...@lists.openid.net> 
http://lists.openid.net/mailman/listinfo/openid-specs

 

 

 

___
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs

Essential claims with the scope value openid

2017-08-08 Thread Hasini Witharana 
Hi,

Currently I am working with OpenID Connect Certification basic profile. In
the OP, I have configured some claims to be gained when the scope is
openid. When I send a authorization request with  an essential claim I will
get all claims for openid and the essential claim. In the specifications
there is no, rule as It should return only the essential claim.
"OP-claims-essential" test is failing because unexpected claims are
returned. Can you please clarify this issue?

-- 
*Hasini Witharana*
Undergraduate | Department of Computer Science and Engineering
University of Moratuwa
Linkedin 
___
specs mailing list
sp...@lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs