oauth2.dev

_claim_sources

OpenID_Foundation_Artifact_Binding_Working_Group

Registry Context

`_claim_sources` identifies where aggregated or distributed claim values come from. Its members are referenced by `_claim_names` values.

Technical Summary

A JSON object whose member names are source identifiers referenced from `_claim_names`. Each member value describes either aggregated claims using a JWT member or distributed claims using an endpoint, and may include an access token for retrieval.

When Used

Used in OpenID Connect aggregated and distributed claims responses when some claim values are supplied by referenced claim sources.

Normative Requirements

Aggregated Claims source object

MUST
1
  1. openid-connect-core-1_0 - Section 5.6.2

    contain a `JWT` member whose value is a JWT that contains all claims in `_claim_names` that reference the corresponding `_claim_sources` member..

    Condition: When an `_claim_sources` member provides aggregated claims.

    JSON object that MUST contain the JWT member whose value is a JWT that MUST contain all the Claims in the _claim_names object

MAY
1
  1. openid-connect-core-1_0 - Section 5.6.2

    contain members other than `JWT`..

    Condition: When an `_claim_sources` member provides aggregated claims.

    Other members MAY be present.

Distributed Claims endpoint URL

MUST
1
  1. openid-connect-core-1_0 - Section 5.6.2

    return the claim as a JWT..

    Condition: When retrieving an associated distributed claim from the endpoint URL.

    The endpoint URL MUST return the Claim as a JWT.

Distributed Claims source object

REQUIRED
1
  1. openid-connect-core-1_0 - Section 5.6.2

    include an endpoint URL from which the associated claim can be retrieved..

    Condition: When an `_claim_sources` member provides distributed claims.

    REQUIRED. OAuth 2.0 resource endpoint from which the associated Claim can be retrieved.

OPTIONAL
1
  1. openid-connect-core-1_0 - Section 5.6.2

    include an access token enabling retrieval of the claims from the endpoint URL..

    Condition: When an `_claim_sources` member provides distributed claims.

    OPTIONAL. Access Token enabling retrieval of the Claims from the endpoint URL

Implementation

MUST
1
  1. openid-connect-core-1_0 - Section 5.6.2

    ignore `_claim_sources` source-object members it does not understand..

    Condition: When processing aggregated claims source objects.

    Any members used that are not understood MUST be ignored.

RPs

MUST
1
  1. openid-connect-core-1_0 - Section 5.6.2

    be prepared to handle the condition that some claims listed in `_claim_sources` are not returned from the Claims Provider..

    Condition: When processing distributed claims.

    RPs MUST be prepared to handle the condition that some Claims listed in _claim_sources are not returned from the Claims Provider.

Validation Guidance

error

Verify `_claim_sources` is a JSON object whose member names can be referenced by values in `_claim_names`.

error

For aggregated claims, require a `JWT` member and verify that JWT contains all claims referenced by `_claim_names` for that source.

error

Ignore unrecognized members in aggregated claim source objects.

error

For distributed claims, require an endpoint URL and verify that the endpoint returns the claim as a JWT.

warning

Do not fail solely because a Claims Provider omits some claims listed in `_claim_sources`; handle it like any other requested claim that is not returned.

Security Notes

openid-connect-core-1_0 - Section 5.6.2

Distributed claims can involve access tokens and remote retrieval from Claims Providers; validate returned JWTs before relying on claim values.

Reference

Details

Entry Id
_claim_sources
Claim Name
_claim_sources
Claim Description
JSON object whose member names are referenced by the member values of the _claim_names member
Change Controller
OpenID_Foundation_Artifact_Binding_Working_Group
Reference
OpenID Connect Core 1.0 - Section 5.6.2