Scopes and claims section applicability

[WestpacOpenBanking]

Request For Clarification

The Scopes and Claims section in the Security Profile discusses a set of claims that must be supported without further context as to if they must be supported as claims for the ID Token, the userinfo endpoint or both. We note that auth_time is normally only supported in the ID token context and there is currently discussion around the authorisation request object and authorisation requests more generally in that section. We suspect that the intent is for this section to apply to the ID token claims only and request that this be clarified or, if this is not the case, then that clarification is given for each claim individually.

[pcurtisrab]

Regional Australia Bank has read the standards to mean that there is no distinction between the claims that must be supported in the ID Token and the Userinfo Endpoint (except those specifically mentioned in the specific ID token section).

If Westpac is correct in their assumption that Scopes and Claims section only applies to the ID Token, then this has significant bearing on a previous clarification about the refresh_token_expires_at claim and current implementations, which appeared to clearly support our reasoning that the scopes and claims section applies to both the ID Token AND the Userinfo endpoint.

[CDR-API-Stream]

Hi @WestpacOpenBanking, the claims must be supported in the ID Token and UserInfo endpoint unless expressly excluded.

Thus, auth_time would apply to both ID Token and UserInfo.

[mperryau]

Ping Identity wishes to back Westpac's point of view on this issue. There is a reason why auth_time is defined in the ID Token section of the OIDC specification: it relates to the user's authentication event (i.e. token creation), whereas the UserInfo endpoint is intended as a protected resource that provides information about the user. Every single mention of auth_time in the OIDC specification is in the context of an ID token.

Vendors like Ping write their solutions to the specification and Data61 should not be modifying a mature, well-supported specification for a local requirement in this way. Left as it is, this will have material impact on Data Holder implementations.

We recommend that auth_time be not required to be provided by the UserInfo endpoint, to retain consistency with the OIDC specification.

[WestpacOpenBanking]

Thank you @CDR-API-Stream. This position is not in alignment with OIDC or a number of vendor implementations. We have raised a new change request where we suggest that auth_time is only mandatory in the ID Token as this better aligns with international standards.

[CDR-API-Stream]

This change request has been adopted in v1.4.0 of the standards. This issue has been answered and it is being closed accordingly.