boolean OIDC claims

Mak, Steve makst at
Fri Jul 24 13:29:53 UTC 2020

Use the asBoolean attribute on the OIDCString encoder.

<AttributeEncoder xsi:type="oidcext:OIDCString" asBoolean="true" name="email_verified" />

From: users <users-bounces at> on behalf of Liam Hoekenga <liamr at>
Reply-To: Shib Users <users at>
Date: Thursday, July 23, 2020 at 19:38
To: Shib Users <users at>
Subject: boolean OIDC claims

Much of what I've done in our OIDC deployment has been guided by a REFEDS white paper, "White Paper for implementation ofmappings between SAML 2.0 and OpenIDConnect in Research and Education"<>

In reference to the "email_verified" claim, it says...
    As in such case it may be assumed the email service being used is
    under direct administrative control of the Institution, and the requirements
    for setting email_verified to "True" have been fulfilled.

I decided I'd send email_verified as part of the "email" scope.  The problem is, the spec<> says, the value for email_verified (and phone_number_verified) are booleans, not strings.  (I imagine you'd have a similar problem if you wanted to send updated_at, which is a number, not a string).

Acc'd to the wiki for the OIDC plugin<>, there are three encoder types..
- string
- scoped string
- binary

I'm guessing with that in mind, we can't actually publish email_verified, phone_number_verified, or updated_at keeping in line with the spec?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list