NationalAustraliaBank
commented
5 years ago NAB is supportive of this proposal
Closed JamesMBligh closed 5 years ago
NationalAustraliaBank
commented
5 years ago NAB is supportive of this proposal
spikejump
commented
5 years ago There are a set of REQUIRED claims used within the ID token as specified by OIDC. They are iss, sub, aud, exp and iat. We're assuming they're not affected by this.
In particular, the sub is a Subject Identifier where it will uniquely identify a subject/user in the provider/issuer scope. It will never change. This is crucial for consumers to uniquely and more importantly consistently identify the subject/user for every authorisation and re-authorisation.
It would be great to be clear on exactly which claims may be omitted when the token is obtained from the authorisation endpoint.
JamesMBligh
commented
5 years ago Only the name related claims would be excluded as they contain the only PII data.
WestpacOpenBanking
commented
5 years ago Westpac supports this proposal.
JamesMBligh
commented
5 years ago Decision Proposal 64 has included this position.
It has been raised that if a claim for PII data (ie the customer name claims) are included then the id_token returned during the redirect flow will include this data via a less secure channel (ie. via the authorisation endpoint).
It is therefore suggested that PII data should be excluded from id_token unless the token is obtained from the token endpoint.
Feedback on this issue is welcome.