Reputation: 13
What is the purpose of claims request parameter on OAuth 2.0?
OpenID specification 5.5 explain RP can request claims using claims request parameter. http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
What is the purpose of this feature?
Is it this feature create security vulnerabilities as user able to set claims?
For example user can modify URL on browser into:
https://op.example.com/authorize?
response_type=code
&client_id=client
&redirect_uri=https://client.example.com
&scope=openid
&claims={“userinfo” : {“sub”: { “value” : “superuser”}} , “id_token” : {“sub”: { “value” : “superuser” }}}
If OP implements this feature, then OP put that claims into id token and user info.
Upvotes: 1
Views: 1187
Answers (1)
Reputation: 53958
The purpose of this feature is to request claims, possibly with a certain desired value. It does not mean that the RP is able to set claim values. Instead the OP should verify which of the requested claims and values match for the authenticated user and return only those claims that are valid.
Upvotes: 1
Related Questions
- What is the purpose of the 'state' parameter in OAuth authorization request
- What is the purpose of authorization code in OAuth
- In OAuth 2.0 what is the function of the authorization code?
- State Parameter in Authorization Request (OAuth2)
- Understanding Claims
- Understand oauth2 on resource server side
- Understanding Oauth2
- Why add claims in OAuthAuthorizationServerProvider.GrantRefreshToken?
- Need help trying to understand the OAuth2 Spec
- Difference between Claims vs OAuth