[Openid-specs-ab] A question about Userinfo endpoint

John Bradley ve7jtb at ve7jtb.com
Wed Feb 20 15:53:35 UTC 2013


The client is supposed to compare them.  That language predates the at-hash and was intended to prevent token substitution confusing a client.  
As it stands the sub and the sub of the id_token must be the same.

On 2013-02-20, at 12:46 PM, Nat Sakimura <sakimura at gmail.com> wrote:

> Good. Thanks. 
> 
> When I was trying to update http://tools.ietf.org/id/draft-sakimura-oidc-extension-nonweb-00.txt , it just came to my mind. This non-web extension utilizes the sub from the userinfo endpoint and if there were no assurance that sub in ID Token and sub from userinfo response would be the same, it would break. 
> 
> Nat
> 
> 2013/2/20 Brian Campbell <bcampbell at pingidentity.com>
> per http://openid.bitbucket.org/openid-connect-messages-1_0.html#StandardClaims
> 
> "The sub (subject) Claim in the UserInfo Endpoint response MUST exactly match the sub Claim in the ID Token, before using additional UserInfo Endpoint Claims."
> 
> 
> On Wed, Feb 20, 2013 at 8:27 AM, Nat Sakimura <sakimura at gmail.com> wrote:
> Hi. A question. 
> 
> In Messages, it is stated that: 
> 2.3.  UserInfo Endpoint
> 
> The UserInfo Endpoint is a Protected Resource that returns Claims about the authenticated End-User. Claims are represented by a JSON object that contains a collection of name and value pairs for the Claims.
> 
> Does Userinfo Endpoint only provide data for authenticated End-user? Or is it a generic protected resource that returns whatever have been authorized at the authorization server? In another word, is the value of sub in the ID Token and the Userinfo response for the access token whose hash is in the ID Token the same?  
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
> 
> 
> 
> 
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130220/4e79cb9f/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130220/4e79cb9f/attachment.p7s>


More information about the Openid-specs-ab mailing list