-
-
Notifications
You must be signed in to change notification settings - Fork 392
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is throwing expected claim "${claim}" in "${sourceName}"
the correct behaviour on missing source?
#197
Comments
https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.6.2
... does this mean the endpoint MUST return the Claim or that the Claim MUST be JWT? |
Hi Sebastian, https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims The JWT returned by the resource (
Its processing is the same, ergo throw if the Feel free to double check on the OIDC WG mailing list or issue tracker, i might be in the wrong to apply the same processing for distributed as for aggregated. |
OMHO throwing an exception is a bit hard, as more graceful handling would be possible. In case of distributed claims IdP may not know what claims are stored by the claims source, therefore there is no such strict language as with Aggregated Claims. |
Reopening based on WG feedback to the issue. Expect a fix in the next release. |
An error
expected claim "${claim}" in "${sourceName}"
is thrown if distributed sources do not return all claims referenced in_claim_names
:https://github.com/panva/node-openid-client/blob/master/lib/client.js#L55
Example:
when fetching the distributed claims
gender
is missing:which then throws
RPError: expected claim "gender" in "55eb6148-9ddf-4f2d-98a6-30cbae6ebbab"
Is this the correct behaviour according to RFC?
The text was updated successfully, but these errors were encountered: