[Openid-specs-ab] A question about Userinfo endpoint

Mike Jones Michael.Jones at microsoft.com
Wed Feb 20 15:30:22 UTC 2013

Yes - somewhere in the specs (I can look for it if you want) we require that the Client confirm that the "sub" values returned in the ID Token and by the UserInfo Endpoint be the same.

                                                            -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura
Sent: Wednesday, February 20, 2013 7:27 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] A question about Userinfo endpoint

Hi. A question.

In Messages, it is stated that:
2.3.  UserInfo Endpoint

The UserInfo Endpoint is a Protected Resource that returns Claims about the authenticated End-User. Claims are represented by a JSON object that contains a collection of name and value pairs for the Claims.
Does Userinfo Endpoint only provide data for authenticated End-user? Or is it a generic protected resource that returns whatever have been authorized at the authorization server? In another word, is the value of sub in the ID Token and the Userinfo response for the access token whose hash is in the ID Token the same?
Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130220/cf0eefbb/attachment.html>

More information about the Openid-specs-ab mailing list