fabmob/CMS

OpenID Connect standard claims and civil status

Opened this issue · 1 comments

adelcasse commented

I'm sorry if my question is too late in the process (I didn't have time to participate to all the working groups).

OpenID Connect standard defines standard claims https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims every or most of OIDC providers should implement.

Most of the "civil status" data is already covered by these standard claims (first name, last name, middle names, gender, birthdate). These should not be different in one place and another as someone cannot have multiple civil identities (for "email" and email_verified", or phone numbers, in the other hand, as someone could have different emails and phone numbers, I can more easily understand why the email or phone number data could be added to personal informations)

The defined schema only adds the advantage of tracking certification (source and date). I think it could be overpassed by setting a certification on identity papers (ID card, passport ...) for example, that would certify the standard claims linked to civil identity, instead of duplicating the data (the risk is to have different values in the standard claims and in the CMS ones) ? This could easily be explained in a specification document.

So, why has it been done like that ? And what do you think about my proposal to add the certification layer on identity papers while not duplicating the standard claims linked to civil identity ?

giffarda commented

Yes, the standard claims as firstName or lastName are common string properties in OIDC.
The CMS implies to create attributes identity.lastName or identity.firstName with the same data but indeed in a JSON structure with value/source/certificationDate. It is a CMS added value.
The CMS adopter must manage the data consistency and I think it is quite accessible for all.
However, another way could be to keep string properties and define the certification informations (source/date) in other specific attributes only for these standard properties.
For example :

{
	"properties" : [ "family_name", "given_name", "birthdate", "gender", "birthplace", "birthcountry"]
	"source" : "franceconnect.gouv.fr",
	"certificateDate" : "2022-01-10"
}

When the field is not a standard claims, we can keep the model specified by the CMS.