boolean OIDC claims

[Mak, Steve]

Use the asBoolean attribute on the OIDCString encoder.

<AttributeEncoder xsi:type="oidcext:OIDCString" asBoolean="true" name="email_verified" />


From: users <users-bounces at shibboleth.net> on behalf of Liam Hoekenga <liamr at umich.edu>
Reply-To: Shib Users <users at shibboleth.net>
Date: Thursday, July 23, 2020 at 19:38
To: Shib Users <users at shibboleth.net>
Subject: boolean OIDC claims

Much of what I've done in our OIDC deployment has been guided by a REFEDS white paper, "White Paper for implementation ofmappings between SAML 2.0 and OpenIDConnect in Research and Education"<https://wiki.refeds.org/download/attachments/38895621/20181011-OIDC-WP.pdf>

In reference to the "email_verified" claim, it says...
    As in such case it may be assumed the email service being used is
    under direct administrative control of the Institution, and the requirements
    for setting email_verified to "True" have been fulfilled.

I decided I'd send email_verified as part of the "email" scope.  The problem is, the spec<https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims> says, the value for email_verified (and phone_number_verified) are booleans, not strings.  (I imagine you'd have a similar problem if you wanted to send updated_at, which is a number, not a string).

Acc'd to the wiki for the OIDC plugin<https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/AttributeEncoderPluginConfiguration#attributeencoder-plugin-types>, there are three encoder types..
- string
- scoped string
- binary

I'm guessing with that in mind, we can't actually publish email_verified, phone_number_verified, or updated_at keeping in line with the spec?

Liam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200724/a7d8a784/attachment.htm>