Menu
▾
▴
Re: [Unity-idm-discuss] Claims in id token
|
From: Marcus H. <ha...@ki...> - 2022-03-02 08:25:48
|
[..] > > > > > Configuring per client is not acceptable as the same client may operate in > > > > > different contexts and in some it is using some dumb services which have a > > > > > limit on access token size. > > > > Yes. Fully agree. > > > > > So what are the proposals here? Use some proprietary request parameter for > > > > > it? > > > > I really don't know. If this is really about which scopes go into which > > > > place (JWT vs userinfo), then something proprietary might not be so > > > > harmful. I'm sure this question will bother others, too. > > > > > > > > > > > > One way out, could be to live with the long ATs. > > > > > > > > I'll check with our OIDC expert, but this won't turn around before monday. > > > > > > OK, let us know. > > > > > > If thinking about proprietary solution, I think we can have it. However I'd > > > keep it dead simple: just a flag "uy_put_claims_in_access_token", which > > > would put all claims in AT. > > He suggested using the same mechanism as in the "claims" place, but using > > a different keyword. > > > > He sends this reference: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter > > > > Maybe just calling it "claims_at" would be all it takes. > > > The claims parameter which in OIDC spec governs what should be put in id > token or user info fits nicely after adding claims_at. Agreed. But from > client side it is quite a complex parameter - you operate not on "all > claims", not on "claims related to scopes" but on individual claims. You > need to know them, there is no "*". Also this is complementary to claims > resulting from scopes, what dramatically increases complexity (e.g. asking > user to accepts some well defined scopes is easy, but about each individual > attribute/claim is not). > > It sounds to me 10x more complex than what you need. If so, then there must be some misunderstanding. I'm pretty sure I wanted to write `scopes_at` (but deep inside me I hate those oidc folks for tying the claims to scopes. I think I get the idea, but it's not so transparent). -- Marcus. |
