boolean OIDC claims

Liam Hoekenga liamr at
Thu Jul 23 23:37:45 UTC 2020

Much of what I've done in our OIDC deployment has been guided by a REFEDS
white paper, "White Paper for implementation ofmappings between SAML 2.0
and OpenIDConnect in Research and Education"

In reference to the "email_verified" claim, it says...
    As in such case it may be assumed the email service being used is
    under direct administrative control of the Institution, and the
    for setting email_verified to "True" have been fulfilled.

I decided I'd send email_verified as part of the "email" scope.  The
problem is, the spec
says, the value for email_verified (and phone_number_verified) are
booleans, not strings.  (I imagine you'd have a similar problem if you
wanted to send updated_at, which is a number, not a string).

Acc'd to the wiki for the OIDC plugin
there are three encoder types..
- string
- scoped string
- binary

I'm guessing with that in mind, we can't actually publish email_verified,
phone_number_verified, or updated_at keeping in line with the spec?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list