[Openid-specs-ab] Spec call notes 21-Feb-13

Nat Sakimura sakimura at gmail.com
Fri Feb 22 02:14:21 UTC 2013


=nat via iPhone

Feb 21, 2013 11:39¡¢Justin Richer <jricher at mitre.org> ¤Î¥á¥Ã¥»©`¥¸:

                 John said that the one thing that we could potentially
drop as MTI is the "request" parameter

                              while keeping "request_uri" as MTI

I thought that what we'd discussed was actually the other way around?
"Request" would be MTI but "request_uri" with the fetching and whatnot was
considered significantly more scary? It's entirely possible that I missed
some key part of this conversation, so please correct me if I'm wrong.


I was not in the call,  but from our previous discussions, I believe it is
the request_uri that we should keep. There are privacy and other reasons
for that.

=nat

                Tim and Justin felt that UserInfo should be MTI for all
non-self-issued OPs

                              It makes client code much easier

                              It's actually only required to return the
"sub" claim

                              We decided to make this required for other
than for non-self-issued OPs


John described it in a way that I think is actually cleaner: If you issue
an access_token, you have to have a UserInfo Endpoint to use it at. This
effectively says that anybody who just wants to deal in ID-token land (like
self-issued) doesn't have to deal with UserInfo Endpoints.

 -- Justin

_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130221/bd51f44b/attachment.html>


More information about the Openid-specs-ab mailing list