Is throwing expected claim "${claim}" in "${sourceName}" the correct behaviour on missing source?

[seybsen]

An error expected claim "${claim}" in "${sourceName}" is thrown if distributed sources do not return all claims referenced in _claim_names:
https://github.com/panva/node-openid-client/blob/master/lib/client.js#L55

Example:

{
	"sub": "dxu....",
	"_claim_names": {
		"address": "55eb6148-9ddf-4f2d-98a6-30cbae6ebbab",
		"gender": "55eb6148-9ddf-4f2d-98a6-30cbae6ebbab",
		"phone_number": "55eb6148-9ddf-4f2d-98a6-30cbae6ebbab",
		"given_name": "55eb6148-9ddf-4f2d-98a6-30cbae6ebbab",
		"family_name": "55eb6148-9ddf-4f2d-98a6-30cbae6ebbab",
		"email": "55eb6148-9ddf-4f2d-98a6-30cbae6ebbab"
	},
	"_claim_sources": {
		"55eb6148-9ddf-4f2d-98a6-30cbae6ebbab": {
			"access_token": "eyJraW...",
			"endpoint": "https://api-identity.example.com/userinfo"
		}
	}
}

when fetching the distributed claims gender is missing:

{
	"aud": "d7466ksfdzdxq",
	"sub": "dxu....",
	"id4me.identifier": "test.example.com",
	"id4me.identity": "test.example.com",
	"nbf": 1571127548,
	"address": {
		"street_address": "",
		"country": "",
		"formatted": "",
		"locality": "",
		"region": "",
		"postal_code": ""
	},
	"iss": "https://api-identity.example.com",
	"exp": 1571127578,
	"given_name": "Tester",
	"iat": 1571127548,
	"family_name": "Test",
	"email": "[email protected]"
}

which then throws RPError: expected claim "gender" in "55eb6148-9ddf-4f2d-98a6-30cbae6ebbab"

Is this the correct behaviour according to RFC?

[seybsen]

https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.5.6.2

endpoint
REQUIRED. OAuth 2.0 resource endpoint from which the associated Claim can be retrieved. The endpoint URL MUST return the Claim as a JWT.

... does this mean the endpoint MUST return the Claim or that the Claim MUST be JWT?

[panva]

Hi Sebastian,

https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims

The JWT returned by the resource (endpoint) is the same JWT as for the aggregated claims, for which the following is defined

JWT that MUST contain all the Claims in the _claim_names object that references the corresponding _claim_sources member.

Its processing is the same, ergo throw if the _claim_names point to something that's not there.

Feel free to double check on the OIDC WG mailing list or issue tracker, i might be in the wrong to apply the same processing for distributed as for aggregated.

[pawel-kow]

OMHO throwing an exception is a bit hard, as more graceful handling would be possible.

In case of distributed claims IdP may not know what claims are stored by the claims source, therefore there is no such strict language as with Aggregated Claims.
Anyway I've opened an issue at OIDF: https://bitbucket.org/openid/connect/issues/1117/core-562-behavior-for-distributed-claims

[panva]

Reopening based on WG feedback to the issue. Expect a fix in the next release.