[Openid-specs-ab] JWT claims in signed UserInfo responses

Mike Jones Michael.Jones at microsoft.com
Wed Nov 27 05:18:49 UTC 2013


So where did we land on this?  If the UserInfo response is a signed JWT, did we decide to require an “iss” claim that matches the OP’s issuer value?

What about “aud”?  Should we say that an “aud” claim MAY also be included?  Or SHOULD be or MUST be?

What if it’s encrypted but not signed (which I think is legal).  Should these fields be there then too?

                                                            -- Mike

From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
Sent: Wednesday, November 06, 2013 11:34 AM
To: Nat Sakimura
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] JWT claims in signed UserInfo responses

Thanks for the clarification.


Nat Sakimura <sakimura at gmail.com<mailto:sakimura at gmail.com>> schrieb:
Right, it is not an assertion that you reuse for something.
Having said that, sub is only scoped to iss, and when storing the userinfo result at the client, it probably is a good idea to store iss with it.

The reason for including aud also is not to use it as a token, but as a metadata to prevent the accidental leak.

2013/11/6 Torsten Lodderstedt <torsten at lodderstedt.net<mailto:torsten at lodderstedt.net>>
I'm getting confused. I thought the reason to encrypt/sign UserInfo is to implement end2end message security. I don't see the UserInfo response as another kind of assertion intended to be passed around. The ID Token is intended for that purpose, right?

Therefore I don't see a need to add aud or iss claims to the UserInfo response.


Am 06.11.2013 02<tel:06.11.2013%2002>:29, schrieb Nat Sakimura:

+1

And perhaps aud as well to prevent an accidental transfer to a third party.
It is not a MUST but still is a good practice.

=nat via iPhone

Nov 6, 2013 1:56、"Vladimir Dzhuvinov / NimbusDS" <vladimir at nimbusds.com<mailto:vladimir at nimbusds.com>> のメッセージ:
Hi guys,

For UserInfo responses encoded as JWTs - which of the standard JWT
claims, apart from the mandatory "sub", do you choose to include?

http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-12#section-4.1

It appears to me that in order for the UserInfo to be suitable for
passing around as a JWT it should include at least the "iss" claim.

Thanks,

Vladimir

--
Vladimir Dzhuvinov : www.NimbusDS.com<http://www.NimbusDS.com> : vladimir at nimbusds.com<mailto:vladimir at nimbusds.com>
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net<mailto:Openid-specs-ab at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-ab



--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131127/31a8bb1c/attachment.html>


More information about the Openid-specs-ab mailing list