Improve OpenID Connect claims request parameter implementation

[martynaslawinska]

nynymike commented on Oct 17, 2019
The claims request parameter is specified here:
https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter

The admin should be able to see a view of all the claims that are available for a client. Are these claims released via an associated scopes? Or are the explicitly released?

We may want to add claims for:

• Subject attributes
• Client attributes
• Context attributes
• Static Text
• Claims request parameter of signed request object
• client certificate used to perform mutual TLS connection

Perhaps to include the above claims, we can expose a "claims interception script" that can be mapped from the client.

This would also enable us to call out to external claim providers.

[yurem]

1. We already have DynamicScopeType, SpontaneousScopeType scripts. I wonder if we need to do add anything else for this issue

[nynymike]

Customers demand for this feature is low. But let's leave the issue open. The idea that a client could request individual claims, instead of openid scopes, is in the spec. But how to handle whether a client is authorized for claims, how the person consents, is not well defined. It think its preferable at this point to not allow the claims param by default, and to wait for more customer demand to implement a specific solution.