Is `cdr_consent_id` an essential claim in both `id_token` and `userinfo`?

ConsumerDataStandardsAustralia / infosec

Work space for the consumer data right information security profile development in Australia

MIT License

16 stars 5 forks source link

Is `cdr_consent_id` an essential claim in both `id_token` and `userinfo`? #52

Closed ajmcmiddlin closed 5 years ago

ajmcmiddlin commented 5 years ago

§12 of the specification contains an example in which cdr_consent_id is an essential claim in both the id_token and userinfo claims. Is this correct? It seems redundant as I would expect cdr_consent_id to only appear in the id_token claim.

lukepopp commented 5 years ago

Yeah it needs to be in both as they control what is in the UserInfo response versus what goes in the ID Token (from the Token Endpoint)