4520 views June 12, 2017 May 7, 2019 3

At the heart of it all are OIDC claims; an attempt to standardize all the different pieces of information about a user. A claim may for instance be a user’s surname or email address, which makes claims very similar to SAML Assertions. However, claims in OIDC are represented (as everything else in Oauth2.0/OIDC) as JSON key-value pairs.

Where to get claims?

The OIDC specification details sources of claims: the ID token and the UserInfo endpoint.

The ID token is a signed JSON object (a JSON Web Token, or JWT), containing information about the authentication a user has undergone in order to obtain the ID token. While the ID token is very similar to a SAMLResponse object in that it is a signed proof of authentication, there is one vital difference: The ID token does not in principle contain information about the user, apart from a user ID (named the subject ID). Custom claims may be contained within an ID token if relevant as authentication metadata.

The Userinfo endpoint is a separate endpoint that accepts access tokens and returns information about the user. Since an access token represents an authorization from the user to the client to perform actions on the user’s behalf, only information which the user has authorized should be returned. The userinfo claims that can be returned are largely standardized but can be infinitely extended.

Was this helpful?