Possible scope claims collisions

giffarda commented 2 years ago

According to schemas, the endpoint /userinfo can return a response like below :

{
    "sub": "0faa3bdf-2178-4600-989f-b3a95add44e0",
    "lastName": {
        "value": "john",
        "source": "franceconnect.gouv.fr",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "email_verified": true,
    "gender": {
        "value": "Masculin",
        "source": "franceconnect.gouv.fr",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "preferred_username": "john@cap.com",
    "given_name": "john",
    "birthDate": {
        "value": "1999-09-24",
        "source": "franceconnect.gouv.fr",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "middleNames": {
        "value": "Names",
        "source": "franceconnect.gouv.fr",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "firstName": {
        "value": "john",
        "source": "franceconnect.gouv.frt",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "birthPlace": {
        "value": "Paris",
        "source": "franceconnect.gouv.fr",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "birthCountry": {
        "value": "France",
        "source": "franceconnect.gouv.fr",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "name": "john john",
    "family_name": "john",
    "email": "john@cap.com"
}

@BertrandGervais @jthiard @ghislainfabmob do we want to encapsulate information by scope to more readability and avoid claim collisions between all claims used by the clients ?

giffarda commented 1 year ago

An example with email OIDC claim and personalInformation.email CMS claim.

At root of /userinfo response, we cannot have the CMS email claim but we will have the OIDC email claim as below :

"email": "citoyen1.cms@yopmail.com"

I suggest to encapsulate CMS scopes in a cms object in order to avoid conflicts with other scopes requested :

    "cms": {
        "personal-information": {
            "email": {
                "value": "citoyen1.cms@yopmail.com",
                "source": "moncomptemobilite.fr",
                "certificationDate": "2022-11-08T13:44:00"
            }
        }
    }

jthiard commented 1 year ago

Indeed, this was left in a sort of undefined state in the first iteration of the standard. Your suggestion is in my opinion the right thing to do to avoid claim collisions.

To document this I suggest we should

create and document a new "cms" schema with an optional property for each sub schema
document in the API part that if one of more urn:cms:* scopes is asked, the /userinfo response must contain the cms object

fabmob / CMS

Possible scope claims collisions #6