...
Because OIDC is string-based, rather than reliant on XML and URIs for uniqueness, there are a number of arbitrary claim names that need to be avoided and will not be produced if used.
| Warning |
|---|
Please be aware that OAuth and OpenID are defined unsafely to leverage claim names that are strings rather than URIs. Thus, there are no mechanisms in place to ensure control and uniqueness over the naming of claims as can be done in SAML. As a result, we cannot guarantee that new specifications will not define new claim names and stomp on your use of new claim names that happen to collide. The only real solution to this problem is simply to avoid “small/simple” names and, when using OIDC at least, avoid adding custom claims to the ID Token and leverage the UserInfo endpoint to produce them instead. |
The following claim names are currently reserved (but note the warning above):
aud
iss
iat
exp
acr
auth_time
at_hash
c_hash
nonce
sid
The "sub" claim is also semi-reserved but does come from your configuration. However it has to meet certain requirements and so cannot just contain arbitrary data without risking severe consequences to RPs. It is analagous to violating the expectations of a SAML SP regarding the content of an Attribute, but with more consistently severe problems. Please refer to the dedicated page at OPSubClaim for specifics.
...