900 views June 12, 2017 August 18, 2017 1

At the heart of it all are OIDC Claims; An attempt to standardize all the different pieces of information about a user. A Claim may for instance be a user’s surname or email address, and as such the Claims are very similar to SAML Assertions. However, Claims in OIDC are represented (as everything else in Oauth2.0/OIDC) as JSON key-value attributes.

Where to get claims?

The OIDC specification details sources of Claims: the ID token and the UserInfo endpoint.

The ID token is a signed JSON object (a JSON Web Token (JWT)), containing information about the authentication a user has undergone in order to get the ID token. While the ID token is very similar to a SAMLResponse object in that it is a signed proof of authentication, there is one vital difference: The ID token does not in principle contain information about the user, apart from a user ID (named the subject ID). Custom Claims may be contained within an ID token if relevant as authentication metadata.

The Userinfo endpoint is a separate endpoint that accepts access tokens and returns information about the user. Since an access token represents an authorization from the user to the client to perform actions on the user’s behalf, only information the user has authorized should be returned. The userinfo Claims that can be returned are largely standardized, but can be infinitely extended.

Was this helpful?