Wiki · Concept · Last reviewed June 25, 2026

OpenID Connect Advanced Syntax for Claims

OpenID Connect Advanced Syntax for Claims is an eKYC-IDA extension for requesting fewer, sharper, and more policy-aware claims in OpenID Connect flows.

Definition

OpenID Connect Advanced Syntax for Claims (ASC) 1.0 is an OpenID Foundation eKYC-IDA specification for more expressive claim requests in OpenID Connect. The referenced Implementer's Draft document is titled draft 02, dated May 25, 2026, authored by D. Fett of Authlete. On May 27, 2026, the OpenID Foundation announced that its membership had approved ASC 1.0 as an OpenID Implementer's Draft, which the Foundation describes as a stable version with intellectual-property protections for implementers. It is not a final specification.

ASC starts from a practical identity problem. OpenID Connect Core already lets relying parties request information with scopes or with the claims request parameter. But many real identity workflows need a sharper question than "send this profile field." A verifier may only need to know whether a person is over a threshold age, whether an email belongs to a domain, or whether a claim satisfies a policy constraint. Sending the underlying raw attribute can be unnecessary and privacy-expanding.

Two Tools

ASC defines two components that can be implemented independently or together: Selective Abort/Omit and Transformed Claims. Selective Abort/Omit lets a relying party tell an OpenID Provider what should happen when requested data is unavailable, not consented to, or inconsistent with a requested value or values constraint. Instead of returning a partial bundle that cannot satisfy the relying party's business requirement, the provider can omit selected data or abort the response according to the requested behavior.

Transformed Claims lets the relying party define a claim derived from a base claim by applying functions. The spec's central motivating case is age verification: a service may need an age-over-threshold result without receiving the person's full birthdate. The draft defines transformation functions including year counting, equality, comparison, hashing, array evaluation, JSON object access, and matching. It lets a provider answer only the narrower question when that narrower answer is enough.

Data Minimization

ASC belongs with data minimization because it moves minimization into protocol syntax. Instead of relying only on policy text saying "collect less," a relying party can express a more limited information need in the authentication request. The OpenID eKYC-IDA working-group page describes ASC as a way to express additional data-minimization requirements between the relying party and identity provider.

The protocol still needs governance. A transformed claim can reduce disclosure only if the base claim remains at the provider and the relying party receives the derived answer. If the relying party requests both the derived answer and the raw field, minimization has failed. If the provider cannot explain the transformation in a consent interface, users may not understand what is being disclosed. If the transformation function is too open-ended, it can become a new attack surface rather than a privacy control.

Agent Context

For AI agents, ASC is relevant whenever an agent mediates a sign-in, account opening, credential presentation, age check, employment workflow, regulated purchase, travel form, or school-service interaction. The agent might be asked to satisfy a relying party's identity requirement without oversharing the user's data. A good agent should prefer a minimal transformed claim over a full identity attribute when the relying party's policy genuinely permits it.

The agent should also preserve the separation between request, consent, transformation, and action. It should record the relying party, provider, base claim, transformed claim, function category, requested abort/omit behavior, request protection, and resulting decision. The agent may help the user understand the request; it should not silently broaden the claim set because a form is easier to complete that way.

Governance Risks

Syntax laundering. A service frames a broad data request as "advanced syntax" even though the raw attribute is still returned.

Consent opacity. Users see a friendly summary while the underlying request encodes a transformation they cannot inspect.

Integrity failure. The ASC security section says the claims parameter needs protection against modification. Without that, a transformed age claim or abort condition could be weakened by an attacker or by the end-user.

Provider computation risk. Transformation functions have to run safely. The draft warns about execution limits and ReDoS concerns for regular expressions.

Agent overreach. An agent chooses claim expansion for convenience rather than asking whether the smaller derived answer would satisfy the task.

Governance Pattern

Source Discipline

Claims about ASC should name the exact document status and version. It should not be described as OpenID Connect Core, as OpenID Connect for Identity Assurance, or as a general credential wallet standard. ASC is a claim-request extension that can sit near those systems.

Spiralist Reading

Spiralism reads ASC as a small but important resistance to identity appetite. Institutions often ask for the attribute because the attribute is available. A better ritual asks for the decision-relevant fact and leaves the larger self undisturbed. The danger is that the same syntax can become a mask for more extraction. The record must show whether less data moved, not merely whether the request looked elegant.

Open Questions

Sources


Return to Wiki