Problem description
The document CAMARA-Security-Interoperability.md contains a statement which is not correct. The current statement is:
Clients SHOULD follow the OIDC standard and SHOULD include openid in the list of requested scopes. Without id token there is no sub field and the privacy features of OIDC are severely crippled. Globally unique identifiers, like the MSISDN, should be avoided for privacy reasons.
It is correct that without requesting openid scope, there is no id token generated by the authZ server.
However it is NOT correct that the access token does not contain a sub claim in case there is not id token.
The sub claim of the access token is filled with an identifier of the subject / resource owner in case of 3-legged flow and with the client_id or application id in case of 2-legged flow.
It is necessary to give an argumentation on why an id token (as requested by openid scope) should be used.
One argument could be that the sub claim in the id token contains an obfuscated identifier instead of a globally unique identifier for the subject like MSISDN. This identifer can only be interpreted by the authZ server.
Expected action
1) Remove wrong statement: Without id token there is no sub field and the privacy features of OIDC are severely crippled.
with a correct statement about the sub field.
2) Give an argumentation on why an id token is proposed.
3) Clarify the content of the sub claim of an access token, e.g.:
The sub field of the access token is meant to identify the subject / resource owner in case of 3-legged flow and the clientid or application id in case of 2-legged flow. Globally unique identifiers, like the MSISDN, should be avoided for privacy reasons.
Problem description The document CAMARA-Security-Interoperability.md contains a statement which is not correct. The current statement is: Clients SHOULD follow the OIDC standard and SHOULD include openid in the list of requested scopes. Without id token there is no sub field and the privacy features of OIDC are severely crippled. Globally unique identifiers, like the MSISDN, should be avoided for privacy reasons.
It is correct that without requesting openid scope, there is no id token generated by the authZ server. However it is NOT correct that the access token does not contain a sub claim in case there is not id token.
The sub claim of the access token is filled with an identifier of the subject / resource owner in case of 3-legged flow and with the client_id or application id in case of 2-legged flow.
It is necessary to give an argumentation on why an id token (as requested by openid scope) should be used. One argument could be that the sub claim in the id token contains an obfuscated identifier instead of a globally unique identifier for the subject like MSISDN. This identifer can only be interpreted by the authZ server.
Expected action 1) Remove wrong statement: Without id token there is no sub field and the privacy features of OIDC are severely crippled. with a correct statement about the sub field. 2) Give an argumentation on why an id token is proposed. 3) Clarify the content of the sub claim of an access token, e.g.: The sub field of the access token is meant to identify the subject / resource owner in case of 3-legged flow and the clientid or application id in case of 2-legged flow. Globally unique identifiers, like the MSISDN, should be avoided for privacy reasons.
Additional context