Closed JamesMBligh closed 5 years ago
NAB is supportive of this proposal
There are a set of REQUIRED claims used within the ID token as specified by OIDC. They are iss, sub, aud, exp and iat. We're assuming they're not affected by this.
In particular, the sub is a Subject Identifier where it will uniquely identify a subject/user in the provider/issuer scope. It will never change. This is crucial for consumers to uniquely and more importantly consistently identify the subject/user for every authorisation and re-authorisation.
It would be great to be clear on exactly which claims may be omitted when the token is obtained from the authorisation endpoint.
Only the name related claims would be excluded as they contain the only PII data.
Westpac supports this proposal.
Decision Proposal 64 has included this position.
It has been raised that if a claim for PII data (ie the customer name claims) are included then the id_token returned during the redirect flow will include this data via a less secure channel (ie. via the authorisation endpoint).
It is therefore suggested that PII data should be excluded from id_token unless the token is obtained from the token endpoint.
Feedback on this issue is welcome.