[Openid-specs-ab] Spec call notes 21-Feb-13

Justin Richer jricher at mitre.org
Thu Feb 21 16:38:27 UTC 2013


>                John said that the one thing that we could potentially 
> drop as MTI is the "request" parameter
>
>                               while keeping "request_uri" as MTI
>
I thought that what we'd discussed was actually the other way around? 
"Request" would be MTI but "request_uri" with the fetching and whatnot 
was considered significantly more scary? It's entirely possible that I 
missed some key part of this conversation, so please correct me if I'm 
wrong.

>                Tim and Justin felt that UserInfo should be MTI for all 
> non-self-issued OPs
>
>                               It makes client code much easier
>
>                               It's actually only required to return 
> the "sub" claim
>
>                               We decided to make this required for 
> other than for non-self-issued OPs
>

John described it in a way that I think is actually cleaner: If you 
issue an access_token, you have to have a UserInfo Endpoint to use it 
at. This effectively says that anybody who just wants to deal in 
ID-token land (like self-issued) doesn't have to deal with UserInfo 
Endpoints.

  -- Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130221/d7c88201/attachment-0001.html>


More information about the Openid-specs-ab mailing list