Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible scope claims collisions #6

Open
giffarda opened this issue Sep 30, 2022 · 2 comments
Open

Possible scope claims collisions #6

giffarda opened this issue Sep 30, 2022 · 2 comments
Assignees
@jthiard

Comments

@giffarda
Copy link

giffarda commented Sep 30, 2022
edited
Loading

According to schemas, the endpoint /userinfo can return a response like below :

{
    "sub": "0faa3bdf-2178-4600-989f-b3a95add44e0",
    "lastName": {
        "value": "john",
        "source": "franceconnect.gouv.fr",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "email_verified": true,
    "gender": {
        "value": "Masculin",
        "source": "franceconnect.gouv.fr",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "preferred_username": "john@cap.com",
    "given_name": "john",
    "birthDate": {
        "value": "1999-09-24",
        "source": "franceconnect.gouv.fr",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "middleNames": {
        "value": "Names",
        "source": "franceconnect.gouv.fr",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "firstName": {
        "value": "john",
        "source": "franceconnect.gouv.frt",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "birthPlace": {
        "value": "Paris",
        "source": "franceconnect.gouv.fr",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "birthCountry": {
        "value": "France",
        "source": "franceconnect.gouv.fr",
        "certificationDate": "1997-03-09T00:00:00.0Z"
    },
    "name": "john john",
    "family_name": "john",
    "email": "john@cap.com"
}

@BertrandGervais @jthiard @ghislainfabmob do we want to encapsulate information by scope to more readability and avoid claim collisions between all claims used by the clients ?
@giffarda
Copy link
Author

giffarda commented Nov 8, 2022

An example with email OIDC claim and personalInformation.email CMS claim.

At root of /userinfo response, we cannot have the CMS email claim but we will have the OIDC email claim as below :

"email": "citoyen1.cms@yopmail.com"

I suggest to encapsulate CMS scopes in a cms object in order to avoid conflicts with other scopes requested :

    "cms": {
        "personal-information": {
            "email": {
                "value": "citoyen1.cms@yopmail.com",
                "source": "moncomptemobilite.fr",
                "certificationDate": "2022-11-08T13:44:00"
            }
        }
    }

@jthiard jthiard self-assigned this Nov 9, 2022
@jthiard
Copy link
Collaborator

jthiard commented Nov 9, 2022
edited
Loading

Indeed, this was left in a sort of undefined state in the first iteration of the standard.
Your suggestion is in my opinion the right thing to do to avoid claim collisions.

To document this I suggest we should

  • create and document a new "cms" schema with an optional property for each sub schema
  • document in the API part that if one of more urn:cms:* scopes is asked, the /userinfo response must contain the cms object

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jthiard jthiard

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jthiard @giffarda