OIDC JWT 身份声明(例如电话号码或电子邮件)可以是多个吗?
Can a OIDC JWT identity claim (such as phonenumber or email) be multiple?
请问,这样的 OIDC JWT 负载有效吗?
{
"sub" : "alice",
"email" : ["alice@wonderland.net", "alice@wherever.com"],
...
}
阅读官方RFC,我只能发现键(sub
、email
等)必须是唯一的,但没有关于值的信息。
email
声明必须是字符串。所以数组不是有效值,根据 OpenID Connect Core 1.0 spec(格式是我的):
email
string
End-User's preferred e-mail address. Its value MUST conform to the RFC
5322 addr-spec syntax. The RP MUST NOT rely upon this value
being unique, as discussed in Section 5.7.
在RFC 5322中,addr-spec语法定义如下:
An addr-spec is a specific Internet identifier that contains a locally
interpreted string followed by the at-sign character (@
, ASCII
value 64) followed by an Internet domain. [...]
addr-spec = local-part "@" domain
local-part = dot-atom / quoted-string / obs-local-part
domain = dot-atom / domain-literal / obs-domain
domain-literal = [CFWS] "[" *([FWS] dtext) [FWS] "]" [CFWS]
dtext = %d33-90 / ; Printable US-ASCII
%d94-126 / ; characters not including
obs-dtext ; "[", "]", or "\" ```
请问,这样的 OIDC JWT 负载有效吗?
{
"sub" : "alice",
"email" : ["alice@wonderland.net", "alice@wherever.com"],
...
}
阅读官方RFC,我只能发现键(sub
、email
等)必须是唯一的,但没有关于值的信息。
email
声明必须是字符串。所以数组不是有效值,根据 OpenID Connect Core 1.0 spec(格式是我的):
stringEnd-User's preferred e-mail address. Its value MUST conform to the RFC 5322 addr-spec syntax. The RP MUST NOT rely upon this value being unique, as discussed in Section 5.7.
在RFC 5322中,addr-spec语法定义如下:
An addr-spec is a specific Internet identifier that contains a locally interpreted string followed by the at-sign character (
@
, ASCII value 64) followed by an Internet domain. [...]addr-spec = local-part "@" domain local-part = dot-atom / quoted-string / obs-local-part domain = dot-atom / domain-literal / obs-domain domain-literal = [CFWS] "[" *([FWS] dtext) [FWS] "]" [CFWS] dtext = %d33-90 / ; Printable US-ASCII %d94-126 / ; characters not including obs-dtext ; "[", "]", or "\" ```