When a ShopSphere user has successfully logged into the ShopSphere e-commerce site, the user will receive the ShopSphere ID token from ShopSphere’s backend system. The ID token contains various personal information about the user.

Take, for example, Jane Doe, who is an account holder with ShopSphere, and her ID token is structured in the following manner:

{
  "iss": "http://oidc-provider.shopsphere.com",
  "sub": "auth0|123456",
  "aud": "client_id_58347",
  "exp": 1311281970,
  "iat": 1311280970,
  "name": "Jane Doe",
  "_name_zkpass_public_": true,
  "firstName": "Jane",
  "lastName": "Doe",
  "gender": "female",
  "birthdate": "2000-10-31",
  "driverLicenseNumber": "DL00718256",
  "email": "janedoe@live.com",
  "picture": "http://live.com/janedoe/me.jpg"
}

As demonstrated by the above ID token, the user data contains sufficient information needed for determining the “ShopSphere Account Holder” requirement. However, the profile also contains extraneous sensitive attributes that hold no relevance for the “ShopSphere Account Holder” assessment. Transmitting the full profile to Krisna would not only result in superfluous data transfer but also introduce considerable risk to customer privacy. Once stored in Krisna’s server database, such data becomes susceptible to a myriad of security vulnerabilities, ranging from advanced persistent threats (APTs) to unauthorized data access and insider attacks. This escalates the probability of data exfiltration events.