[Feature Request] Support the `claims` property

[V0ldek]

Is your feature request related to a problem? Please describe. In an OpenID Connect request one can include the claims property, which is a JSON with additional custom claims requested. As far as I can see, this parameter is not supported by OpenIdConnectMessage – there's just no such property, and requests with claims just drop the property.

Describe the solution you'd like A type is exposed that allows the claims field, as in the OpenIDConnect Core spec 1.0.

Describe alternatives you've considered I might be missing how to support this use case in the current library.

Additional context See the spec. Basically, the request may include a claims property with a value of this shape:

{
   "userinfo":
    {
     "given_name": {"essential": true},
     "nickname": null,
     "email": {"essential": true},
     "email_verified": {"essential": true},
     "picture": null,
     "http://example.info/claims/groups": null
    },
   "id_token":
    {
     "auth_time": {"essential": true},
     "acr": {"values": ["urn:mace:incommon:iap:silver"] }
    }
  }

One crucial use case for this is requesting a token for MFA with a set of expected values for acr and amr fields. For example, I'd send a payload like this:

"claims": {
    "id_token": {
        "acr": {
            "essential": true,
            "values": [ "face", "fido", "fpt", "hwk", "iris", "otp", "retina", "sc", "sms", "swk", "tel", "vbm" ]
        },
        "amr": {
            "essential": true
        }
    }
}

to enforce an MFA response with one of the required crendential types.

[jmprieur]

did you try to use:

ProtocolMessage.SetParameter("Claims", theClaims);

In some cases theClaims would need to be base64encoded

[V0ldek]

Where would I set it? I'm using OpenIdConnectMessage as input in an ASP.NET Core API.