_ claim_ sources
Registry Context
`_claim_sources` identifies where aggregated or distributed claim values come from. Its members are referenced by `_claim_names` values.
Technical Summary
A JSON object whose member names are source identifiers referenced from `_claim_names`. Each member value describes either aggregated claims using a JWT member or distributed claims using an endpoint, and may include an access token for retrieval.
When Used
Used in OpenID Connect aggregated and distributed claims responses when some claim values are supplied by referenced claim sources.
Normative Requirements
Aggregated Claims source object
openid-connect-core-1_0 - Section 5.6.2
contain a `JWT` member whose value is a JWT that contains all claims in `_claim_names` that reference the corresponding `_claim_sources` member..
Condition: When an `_claim_sources` member provides aggregated claims.
JSON object that MUST contain the JWT member whose value is a JWT that MUST contain all the Claims in the _claim_names object
openid-connect-core-1_0 - Section 5.6.2
contain members other than `JWT`..
Condition: When an `_claim_sources` member provides aggregated claims.
Other members MAY be present.
Distributed Claims endpoint URL
openid-connect-core-1_0 - Section 5.6.2
return the claim as a JWT..
Condition: When retrieving an associated distributed claim from the endpoint URL.
The endpoint URL MUST return the Claim as a JWT.
Distributed Claims source object
openid-connect-core-1_0 - Section 5.6.2
include an endpoint URL from which the associated claim can be retrieved..
Condition: When an `_claim_sources` member provides distributed claims.
REQUIRED. OAuth 2.0 resource endpoint from which the associated Claim can be retrieved.
openid-connect-core-1_0 - Section 5.6.2
include an access token enabling retrieval of the claims from the endpoint URL..
Condition: When an `_claim_sources` member provides distributed claims.
OPTIONAL. Access Token enabling retrieval of the Claims from the endpoint URL
Implementation
openid-connect-core-1_0 - Section 5.6.2
ignore `_claim_sources` source-object members it does not understand..
Condition: When processing aggregated claims source objects.
Any members used that are not understood MUST be ignored.
RPs
openid-connect-core-1_0 - Section 5.6.2
be prepared to handle the condition that some claims listed in `_claim_sources` are not returned from the Claims Provider..
Condition: When processing distributed claims.
RPs MUST be prepared to handle the condition that some Claims listed in _claim_sources are not returned from the Claims Provider.
Validation Guidance
Verify `_claim_sources` is a JSON object whose member names can be referenced by values in `_claim_names`.
For aggregated claims, require a `JWT` member and verify that JWT contains all claims referenced by `_claim_names` for that source.
Ignore unrecognized members in aggregated claim source objects.
For distributed claims, require an endpoint URL and verify that the endpoint returns the claim as a JWT.
Do not fail solely because a Claims Provider omits some claims listed in `_claim_sources`; handle it like any other requested claim that is not returned.
Security Notes
openid-connect-core-1_0 - Section 5.6.2
Distributed claims can involve access tokens and remote retrieval from Claims Providers; validate returned JWTs before relying on claim values.
Reference
Details
- Entry Id
_claim_ sources - Claim Name
_claim_ sources - Claim Description
JSON object whose member names are referenced by the member values of the _claim_ names member - Change Controller
OpenID_Foundation_ Artifact_ Binding_ Working_ Group - Reference
OpenID Connect Core 1.0 - Section 5.6.2