Skip to content

Conversation

@panva
Copy link
Owner

@panva panva commented Jun 19, 2018

Core 1.0 - 5.4. Requesting Claims using Scope Values defines that claims requested using the scope parameter are returned from the UserInfo Endpoint
unless the response_type=id_token.

The Claims requested by the profile, email, address, and phone scope values are returned from the
UserInfo Endpoint, as described in Section 5.3.2, when a response_type value is used that results
in an Access Token being issued. However, when no Access Token is issued (which is the case for
the response_type value id_token), the resulting Claims are returned in the ID Token.

To enable/disable this conform behaviour

const configuration = { features: { conformIdTokenClaims: Boolean[false] } };

The conform/non-conform behaviour results in the following results

flag value request params authorization_endpoint ID Token (if issued) token_endpoint ID Token (if issued)
false response_type= any

scope=openid email
sub
email
email_verified
sub
email
email_verified
true response_type= any but id_token

scope=openid email
sub
email
email_verified
sub
email
email_verified
true response_type= any but id_token

scope=openid email

claims={"id_token":{"email":null}}
sub
email
email_verified
sub
email
email_verified
true response_type=id_token

scope=openid email
sub
email
email_verified
n/a

This toggle makes the OP only include End-User claims in the ID Token
as defined by Core 1.0 section 5.4 - when the response_type is id_token
or unless requested using the claims parameter.
@codecov
Copy link

codecov bot commented Jun 19, 2018

Codecov Report

Merging #298 into master will not change coverage.
The diff coverage is 100%.

@@          Coverage Diff          @@
##           master   #298   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files         106    106           
  Lines        2768   2776    +8     
=====================================
+ Hits         2768   2776    +8

@panva panva temporarily deployed to guarded-cliffs-8635 June 19, 2018 21:32 Inactive
@panva panva merged commit 58a57d4 into master Jun 21, 2018
@panva panva deleted the conform-idtoken-claims branch June 21, 2018 14:57
@github-actions github-actions bot locked and limited conversation to collaborators Apr 4, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants