boolean OIDC claims
Liam Hoekenga
liamr at umich.edu
Thu Jul 23 23:37:45 UTC 2020
Much of what I've done in our OIDC deployment has been guided by a REFEDS
white paper, "White Paper for implementation ofmappings between SAML 2.0
and OpenIDConnect in Research and Education"
<https://wiki.refeds.org/download/attachments/38895621/20181011-OIDC-WP.pdf>
In reference to the "email_verified" claim, it says...
As in such case it may be assumed the email service being used is
under direct administrative control of the Institution, and the
requirements
for setting email_verified to "True" have been fulfilled.
I decided I'd send email_verified as part of the "email" scope. The
problem is, the spec
<https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>
says, the value for email_verified (and phone_number_verified) are
booleans, not strings. (I imagine you'd have a similar problem if you
wanted to send updated_at, which is a number, not a string).
Acc'd to the wiki for the OIDC plugin
<https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/AttributeEncoderPluginConfiguration#attributeencoder-plugin-types>,
there are three encoder types..
- string
- scoped string
- binary
I'm guessing with that in mind, we can't actually publish email_verified,
phone_number_verified, or updated_at keeping in line with the spec?
Liam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200723/5e89d9c2/attachment.htm>
More information about the users
mailing list