Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenID Connect standard claims and civil status #5

Open
adelcasse opened this issue Aug 4, 2022 · 1 comment
Open

OpenID Connect standard claims and civil status #5

adelcasse opened this issue Aug 4, 2022 · 1 comment

Comments

@adelcasse
Copy link

I'm sorry if my question is too late in the process (I didn't have time to participate to all the working groups).

OpenID Connect standard defines standard claims https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims every or most of OIDC providers should implement.

Most of the "civil status" data is already covered by these standard claims (first name, last name, middle names, gender, birthdate). These should not be different in one place and another as someone cannot have multiple civil identities (for "email" and email_verified", or phone numbers, in the other hand, as someone could have different emails and phone numbers, I can more easily understand why the email or phone number data could be added to personal informations)

The defined schema only adds the advantage of tracking certification (source and date). I think it could be overpassed by setting a certification on identity papers (ID card, passport ...) for example, that would certify the standard claims linked to civil identity, instead of duplicating the data (the risk is to have different values in the standard claims and in the CMS ones) ? This could easily be explained in a specification document.

So, why has it been done like that ? And what do you think about my proposal to add the certification layer on identity papers while not duplicating the standard claims linked to civil identity ?

@giffarda
Copy link

Yes, the standard claims as firstName or lastName are common string properties in OIDC.
The CMS implies to create attributes identity.lastName or identity.firstName with the same data but indeed in a JSON structure with value/source/certificationDate. It is a CMS added value.
The CMS adopter must manage the data consistency and I think it is quite accessible for all.
However, another way could be to keep string properties and define the certification informations (source/date) in other specific attributes only for these standard properties.
For example :

{
	"properties" : [ "family_name", "given_name", "birthdate", "gender", "birthplace", "birthcountry"]
	"source" : "franceconnect.gouv.fr",
	"certificateDate" : "2022-01-10"
}

When the field is not a standard claims, we can keep the model specified by the CMS.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants