If the user requests anything other than the full set of claims with e.g. org.cilogon.userinfo, then a restricted subset should be returned. Since the original system was implemented, a few new claims such as voPersonID eduPersonEntitlement have come into usage that are being passed back since they are unrecognized. Make sure such claims do not leak from the IDP.
If the user requests anything other than the full set of claims with e.g. org.cilogon.userinfo, then a restricted subset should be returned. Since the original system was implemented, a few new claims such as voPersonID eduPersonEntitlement have come into usage that are being passed back since they are unrecognized. Make sure such claims do not leak from the IDP.