[Openid-specs-ab] Fwd: Re: Migration from OpenID 2.0 to OpenID Connect

Justin Richer jricher at mitre.org
Wed Dec 12 17:27:06 UTC 2012

Forwarding Ryo Ito's response to list, don't think it went through.

-------- Original Message --------
Subject: 	Re: [Openid-specs-ab] Migration from OpenID 2.0 to OpenID Connect
Date: 	Thu, 13 Dec 2012 02:27:44 +0900
From: 	Ryo Ito <ritou.06 at gmail.com>
To: 	Justin Richer <jricher at mitre.org>

> but should it really be in the id token?

I think that the handling of RP becomes simple by putting this Claim
in ID Token.
For example, I image the following flow.

1. RP receives ID Token and Access Token in any Grant Type.
2. RP uses "user_id" included in ID Token for database lookup.
3. If the "user_id" is not registered, RP fetches an attribute from
UserInfo EP and display sign-up page.

In this case, RP only uses the Claimed ID of OpenID 2.0 instead of "user_id".

> I don't think it makes much sense to preregister this piece of information

This is a discussion points.
For OP which does not support PPID, it is not so sensitive to hand Claimed ID.
However, for OP supporting PPID, realm verification may be important.

I want to hear the thought of service supporting PPID like Google.


2012/12/13 Justin Richer <jricher at mitre.org>:
> I definitely like the idea of bridging the two -- we've got a similar
> situation here where our OIDC and OID2 servers will continue to run side by
> side. Some of our RPs are switching, some aren't, but the ones that are will
> need to have a way to transition. We can internally rely on stable usernames
> in the short term, so we've been doing that, but it would certainly be
> helpful to be explicit about it.
> I like the claim name, but should it really be in the id token? It seems
> like it's more a userinfo endpoint type of datum, to me. Stable, attached to
> the user, not changing with the session. Of course, like any claim, you
> could ask for it as part of a fat ID token, if that's your thing.
> I don't think it makes much sense to preregister this piece of information
> -- I'd rather see it just be included as part of the "profile" claim set or
> requested explicitly in the request object, like you have below.
>  -- Justin
> On 12/12/2012 09:00 AM, Ryo Ito wrote:
>> Hi,
>> I talked with some Identity Geeks about migration from OpenID 2.0 to
>> OpenID Connect.
>> This is a draft of Migration Guide.
>> https://github.com/ritou/r-weblife/wiki/Openid2-to-openidconnect
>> This document assumes the situation in which OP is an existing site
>> which supports OpenID 2.0, and now is supporting the OpenID Connect.
>> OpenID 2.0 will be provided for the time being side by side.
>> OP may not return a common identifier for each protocols.
>> We suggest that OP returns an ID Token including the existing OpenID
>> 2.0 identifier in OpenID Connect flow.
>> ===
>> Dynamic Client Registration
>> OP receives following parameters.
>> require_openid2_claimed_id
>>   OPTIONAL. (require openid2_claimed_id claim): Type: Logical - If the
>> value is true, then the openid2_claimed_id claim in the id_token is
>> REQUIRED. The returned Claim Value is the Claimed Identifier of OpenID
>> 2.0. The openid2_claimed_id claim request in the request object
>> overrides this setting.
>> openid2_realm
>>   OPTIONAL. This is "openid.realm" parameter which used at OpenID 2.0
>> Request for realm-based PPID generation.
>> ===
>> ===
>> OpenID Request Object
>> If OP support the request with OpenID Request Object, RP is able to
>> set claims to "id_token" member.
>> "id_token":
>>   {
>>     "claims":
>>       {
>>        "auth_time": {"essential": true},
>>        ...
>>        "openid2_claimed_id": {"essential": true},
>>        "openid2_realm": "http://oid2rp.example.com/",
>>        "acr": { "values":["2"] }
>>       },
>>     "max_age": 86400
>>   }
>> ===
>> ===
>> ID Token Payload
>> OP includes "openid2_claimed_id" to Payload.
>> {
>>   "iss": "https://op.example.com",
>>   "user_id": "24400320",
>>   "aud": "s6BhdRkqt3",
>>   "nonce": "n-0S6_WzA2Mj",
>>   "exp": 1311281970,
>>   "iat": 1311280970,
>>   "openid2_claimed_id": "https://op.example.com/u/24400320",
>>   ...
>> }
>> ===
>> Should these be included in specifications?
>> regards,
>> Ryo.

Ryo Ito
Email : ritou.06 at gmail.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121212/8c587595/attachment-0001.html>

More information about the Openid-specs-ab mailing list