Align null claim handling in ID tokens with OIDC recommendations #1285
fullstackdesign-xyz
started this conversation in
Ideas
Replies: 1 comment 2 replies
-
The module merely returns the claims returned from the account's claims() method. Don't return null there and the module won't include them in the ID Tokens. |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
The OpenID Connect Core specification (Section 5.1) recommends omitting claims with null values from ID tokens. However, node-oidc-provider currently explicitly includes null claims in the ID token. This behaviour, while valid, may cause compatibility issues with strict OIDC client implementations and deviates from the specification's guidance.
👩🏻💻 Current behavior example
An ID token generated by node-oidc-provider may include null claims like so:
🚨 Issues
💡 Proposal
To improve compatibility and adhere more closely to OIDC best practices, I suggest the following changes:
📜 Relevant OpenID Connect Core 1.0 specification
The OpenID Connect Core 1.0 specification states:
"Claims with null values SHOULD be omitted from the ID Token." - Source: OpenID Connect Core 1.0 Specification
Beta Was this translation helpful? Give feedback.
All reactions