Closed CDR-API-Stream closed 1 year ago
This documentation fix will be targeted for v1.17.0 release. A staged change will be published this week. If there is any feedback in regards to this item we'd welcome feedback this week.
This change has been staged for review: https://github.com/ConsumerDataStandardsAustralia/standards-staging/compare/release/1.17.0...maintenance/504
Overall looks good, a few minor things.
code
only flow isn't implicitly OpenID (it's OAuth2+PKCE) so perhaps at least the title should drop references to OpenID Connect?
OIDC Profile scope and/or one or more of these standard claims
should probably be
OIDC Profile scope or one or more of these standard claims
Because profile
requests all of them and therefore and/or would lead to the question of whether profile
scope + first_name
claim should result in all claims or just first_name
being provided.
The wording from OIDC is:
This scope value requests access to the End-User's default profile Claims, which are:
Thanks @perlboy those suggestions sounds reasonable. They have been reflected in the staged change: https://github.com/ConsumerDataStandardsAustralia/standards-staging/compare/release/1.17.0...maintenance/504
Description
A documentation error was introduced in v1.15.0 of the standards when dealing with the OpenID Connect profile scope and OIDC standard claims. This has caused some confusion for participants implementing individual named claims and the profile scope. This change request seeks to address the documentation error to remove confusion with how ADRs request and DHs authorise individual contact detail claims.
These claims, if supported, must be requested individually and were not intended to be requested using the profile scope as a catch-all substitute. The description for the Contact Details data language incorrectly implies the profile scope can be used as a mechanism to request the standard OIDC contact detail claims as well as the name claims.
No future dated obligation would be provided because it clarifies the optional nature of the contact details claims. This change corrects the change raised in DP216 which has a July 1st 2022 obligation date for the introduction of Profile scope data language.
Area Affected
Data Language Standards: Profile scope.
Change Proposed
Change title from “Profile Scope” to “Profile Scope and OpenID Connect Standard Claims”
Change “Authorisation scopes” description for Contact Details to be “One or more of these standard OIDC claims:” This drops the “OIDC Profile scope and/or” section and clarifies the claims are standard OIDC claims
Include a "Required" column to articulate which claims and scopes the Data Holders MUST support versus which individual OIDC claims are at the discretion of the Data Holder to support. This removes implementation ambiguity for Data Holders.
In table form, this would be represented as follows:
See 5.4. Requesting Claims using Scope Values on the OIDC website for more information
Email address;
Mail address;
See 5.4. Requesting Claims using Scope Values on the OIDC website for more information