[Openid-specs-ab] user_id and domain

John Bradley ve7jtb at ve7jtb.com
Fri Aug 5 16:12:28 UTC 2011


I don't think it should be a superset, the information is used differently.

The argument for having user id in user info is that it is a useful double check if you are using a access token that you stored, and also to prevent user tampering with claims by replacing the access token in the token flow.

The problem is that we decided to call it id in the user info endpoint to be compatible with Facebook graph api.

We decided to call it user_id in the id_token to prevent confusion with some sort of other id, and because some people don't like short names.

I think we should make them both user_id.

I don't think issuer is required in user info because you already know who the endpoint belongs to by accessing it.
I am willing to liten to other scenarios where that might not be the case if people have them.

John B.

On 2011-08-05, at 12:02 PM, Breno de Medeiros wrote:

> On Thu, Aug 4, 2011 at 19:17, Nat Sakimura <sakimura at gmail.com> wrote:
>> In the current Lite draft, there is no issuer nor domain in the UserInfo
>> response.
> 
> I believe the issuer is in the token introspection endpoint, which is
> necessary for sign-on as currently written.
> 
> Should userinfo endpoint be a superset of tokeninfo?
> 
>> That is what I was asking about.
>> Also, in the current http-redirect draft, in the example, I found user_id
>> and domain in the token response.
>> This was another question. Is that just a typo or something?
>> =nat
>> 
>> On Fri, Aug 5, 2011 at 11:12 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>> 
>>> The domain is the issuer in the id_token.   I am not following the
>>> question.
>>> There should be no difference between lite and full in that respect.
>>> On 2011-08-04, at 10:02 PM, Nat Sakimura wrote:
>>> 
>>> I suppose even in Lite spec, the UserInfo has to return domain in addition
>>> to user_id.
>>> In the Standard spec, do we want to return user_id and domain as part of
>>> the token endpoint response as well?
>>> 
>>> --
>>> Nat Sakimura (=nat)
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/
>>> @_nat_en
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>> 
>> 
>> 
>> 
>> --
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>> 
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> 
>> 
> 
> 
> 
> -- 
> --Breno

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110805/606208ef/attachment.p7s>


More information about the Openid-specs-ab mailing list