5B/ OpenID Connect Claims Aggregation

From IIW

OIDC Claims Aggregation

Tuesday 5B

Convener: Nat Sakimura, Edmund Jay, Kristina Yasuda

Notes-taker(s): Kristina Yasuda

Tags for the session - technology discussed/ideas considered:

OpenID Connect, Claims Aggregation, Claims Issuance

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

Session Slides: https://docs.google.com/presentation/d/1w-rmwZoLiFWczJ4chXuxhY0OsgHQmlIimS2TNlce4UU/edit?usp=sharing

This session discussed how OIDC Claims Aggregation Draft solves certain problems left open in Connect-Core: 1/ How to get a token from CP is hand-wavy; 2/ No specified method to down scope the userinfo of the CP; 3/ No way to provide a binding information between CP:sub and IdP:sub.

The draft specifies the methods for an application to:

  • perform discovery for a Claims Provider

  • register a client to a Claims Provider

  • obtain claims from the Claims Provider

  • return aggregated claims from Claims Providers to requesting clients

After the presentation we discussed

  • How consent will be handled. IdP gets consent from the user to share to the RP. Does Claims Provider have to get consent from the user to share the claims to the IdP?

  • Signed Claims mechanism in Claims Aggregation draft vs DPoP in Credential Provider draft?

  • What does making aggregated claims mandatory in the response mean for the implementations?

The best Claims Aggregation explanation that the industry has seen:[[File:./media/image1.png|495x303px]]

Retrieved from "https://iiw.idcommons.net/index.php?title=5B/_OpenID_Connect_Claims_Aggregation&oldid=23703"