Closed seybsen closed 5 years ago
https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.6.2
endpoint REQUIRED. OAuth 2.0 resource endpoint from which the associated Claim can be retrieved. The endpoint URL MUST return the Claim as a JWT.
... does this mean the endpoint MUST return the Claim or that the Claim MUST be JWT?
Hi Sebastian,
https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
The JWT returned by the resource (endpoint
) is the same JWT as for the aggregated claims, for which the following is defined
JWT that MUST contain all the Claims in the _claim_names object that references the corresponding _claim_sources member.
Its processing is the same, ergo throw if the _claim_names
point to something that's not there.
Feel free to double check on the OIDC WG mailing list or issue tracker, i might be in the wrong to apply the same processing for distributed as for aggregated.
OMHO throwing an exception is a bit hard, as more graceful handling would be possible.
In case of distributed claims IdP may not know what claims are stored by the claims source, therefore there is no such strict language as with Aggregated Claims. Anyway I've opened an issue at OIDF: https://bitbucket.org/openid/connect/issues/1117/core-562-behavior-for-distributed-claims
Reopening based on WG feedback to the issue. Expect a fix in the next release.
An error
expected claim "${claim}" in "${sourceName}"
is thrown if distributed sources do not return all claims referenced in_claim_names
: https://github.com/panva/node-openid-client/blob/master/lib/client.js#L55Example:
when fetching the distributed claims
gender
is missing:which then throws
RPError: expected claim "gender" in "55eb6148-9ddf-4f2d-98a6-30cbae6ebbab"
Is this the correct behaviour according to RFC?