[Openid-specs-ab] A question about Userinfo endpoint
sakimura at gmail.com
Thu Feb 21 09:42:42 UTC 2013
The draft is pointing the possibility out in a note.
=nat via iPhone
Feb 21, 2013 1:45、Torsten Lodderstedt <torsten at lodderstedt.net> のメッセージ:
I'm wondering why this is defined as a OIDC extension. To me it looks like
ordinary OAuth + Token Introspection.
Am 20.02.2013 um 16:46 schrieb Nat Sakimura <sakimura at gmail.com>:
When I was trying to update
http://tools.ietf.org/id/draft-sakimura-oidc-extension-nonweb-00.txt , it
just came to my mind. This non-web extension utilizes the sub from the
userinfo endpoint and if there were no assurance that sub in ID Token and
sub from userinfo response would be the same, it would break.
2013/2/20 Brian Campbell <bcampbell at pingidentity.com>
> "The sub (subject) Claim in the UserInfo Endpoint response MUST exactly
> match the sub Claim in the ID Token, before using additional UserInfo
> Endpoint Claims."
> On Wed, Feb 20, 2013 at 8:27 AM, Nat Sakimura <sakimura at gmail.com> wrote:
>> Hi. A question.
>> In Messages, it is stated that: 2.3. UserInfo Endpoint
>> The UserInfo Endpoint is a Protected Resource that returns Claims about
>> the authenticated End-User. Claims are represented by a JSON object that
>> contains a collection of name and value pairs for the Claims.
>> Does Userinfo Endpoint only provide data for authenticated End-user? Or
>> is it a generic protected resource that returns whatever have been
>> authorized at the authorization server? In another word, is the value of
>> sub in the ID Token and the Userinfo response for the access token whose
>> hash is in the ID Token the same?
>> Nat Sakimura (=nat)
>> Chairman, OpenID Foundation
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
Nat Sakimura (=nat)
Chairman, OpenID Foundation
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab