[Openid-specs-ab] JWT claims in signed UserInfo responses

Nat Sakimura sakimura at gmail.com
Wed Nov 27 14:44:34 UTC 2013


Obviously, both iss and aud MAY be included as this is allowed in the
current draft. However, perhaps some stronger language could be worthwhile.
Even if it is not in a normative language, perhaps some NOTE can be useful.

My take is:

iss is SHOULD. sub is scoped to iss, and to avoid any chance of conflating
one sub to another identical one from another iss, should be there. It
could be RECOMMENDED instead of SHOULD.

aud is RECOMMENDED. User's consent is given to the aud. It would be easier
for the service to manage the included personal data if there is an
explicit aud. If not, it has to do it itself.


2013/11/27 Mike Jones <Michael.Jones at microsoft.com>

>  So where did we land on this?  If the UserInfo response is a signed JWT,
> did we decide to require an “iss” claim that matches the OP’s issuer value?
>
>
>
> What about “aud”?  Should we say that an “aud” claim MAY also be
> included?  Or SHOULD be or MUST be?
>
>
>
> What if it’s encrypted but not signed (which I think is legal).  Should
> these fields be there then too?
>
>
>
>                                                             -- Mike
>
>
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Torsten
> Lodderstedt
> *Sent:* Wednesday, November 06, 2013 11:34 AM
> *To:* Nat Sakimura
> *Cc:* openid-specs-ab at lists.openid.net
>
> *Subject:* Re: [Openid-specs-ab] JWT claims in signed UserInfo responses
>
>
>
> Thanks for the clarification.
>
>
>
> Nat Sakimura <sakimura at gmail.com> schrieb:
>
> Right, it is not an assertion that you reuse for something.
>
> Having said that, sub is only scoped to iss, and when storing the userinfo
> result at the client, it probably is a good idea to store iss with it.
>
>
>
> The reason for including aud also is not to use it as a token, but as a
> metadata to prevent the accidental leak.
>
>
>
> 2013/11/6 Torsten Lodderstedt <torsten at lodderstedt.net>
>
> I'm getting confused. I thought the reason to encrypt/sign UserInfo is to
> implement end2end message security. I don't see the UserInfo response as
> another kind of assertion intended to be passed around. The ID Token is
> intended for that purpose, right?
>
> Therefore I don't see a need to add aud or iss claims to the UserInfo
> response.
>
>
> Am 06.11.2013 02:29, schrieb Nat Sakimura:
>
>
>
> +1
>
> And perhaps aud as well to prevent an accidental transfer to a third party.
> It is not a MUST but still is a good practice.
>
> =nat via iPhone
>
> Nov 6, 2013 1:56、"Vladimir Dzhuvinov / NimbusDS" <vladimir at nimbusds.com>
> のメッセージ:
>
> Hi guys,
>
> For UserInfo responses encoded as JWTs - which of the standard JWT
> claims, apart from the mandatory "sub", do you choose to include?
>
> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-12#section-4.1
>
> It appears to me that in order for the UserInfo to be suitable for
> passing around as a JWT it should include at least the "iss" claim.
>
> Thanks,
>
> Vladimir
>
> --
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
>
>
> --
> Nat Sakimura (=nat)
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131127/dbb8b1ce/attachment.html>


More information about the Openid-specs-ab mailing list