1

I am building a website that uses OAuth2.0 and OpenId-Connect (of some third party vendor) to authenticate user.

Before redirecting the user to the vendor's OAuth page, I am not asking the user to enter a unique UserID on my website, I was thinking of using the user's emailid that I receive as a part of IDToken after the Authorization process is done, as the user's User Name(unique identity) for my Website.

But the OpenID specification here
https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

says that emailid is optional and may not be returned.

So the questions is, is it a standard practice to ask the User to provide with a unique name (that I can use as user's identity on my website), before I initiate the OAUTH/OpenID-Connect process?

theduck
  • 2,589
  • 13
  • 17
  • 23
Pharaoh
  • 712
  • 1
  • 9
  • 33

2 Answers2

3

The sub claim must be unique per issuer. Required Claims will always be present. You can use the iss + sub to uniquely identify users.

Irfan434
  • 1,463
  • 14
  • 19
  • Thanks, but i will not be able to use this as a username , to display when user logs in right. I will have to ask him for a userid – Pharaoh Oct 10 '18 at 18:27
  • 1
    Yes, you can ask them to create a user ID for your website. It doesn't have to be unique. It can be their email. You don't need to send this information to the authentication provider. – Irfan434 Oct 10 '18 at 18:52
0

To add more information, every OpenID connect provider need to provide a /userinfo endpoint to fetch the users information using access token.

here is the specification
https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

Pharaoh
  • 712
  • 1
  • 9
  • 33