[Openid-specs-ab] Question about an access token to access a UserInfo endpoint

Takahiko Kawasaki daru.tk at gmail.com
Mon Feb 8 08:37:37 UTC 2016


Hello,

I have a question about an access token to access a UserInfo endpoint.

OpenID Connect Core 1.0, 5.3.1. UserInfo Request says as follows.

    The Access Token obtained from an OpenID Connect Authentication
    Request MUST be sent as a Bearer Token, per Section 2 of OAuth
    2.0 Bearer Token Usage [RFC6750].

If an access token is issued via 'OpenID Connect Authentication Request'
(not via a pure OAuth 2.0 authorization request), 'scope' must contain
'openid' (3.1.2.1. Authentication Request). Therefore, my interpretation is
that an access token to access a UserInfo endpoint must cover 'openid'
scope.

Is this interpretation appropriate? Or, Is it allowed to return user
information from a UserInfo endpoint even when an access token presented by
a client application does not cover 'openid' scope? How do existing
implementations behave?

Best Regards,
Takahiko Kawasaki
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160208/4e8162b4/attachment.html>


More information about the Openid-specs-ab mailing list