[Openid-specs-ab] Question about an access token to access a UserInfo endpoint
jricher at mit.edu
Mon Feb 8 12:52:54 UTC 2016
Your interpretation is correct, the token must have the "openid" scope.
Our implementation will return an error from the userinfo endpoint if a
token is used without the "openid" scope there.
On 2/8/2016 3:37 AM, Takahiko Kawasaki wrote:
> I have a question about an access token to access a UserInfo endpoint.
> OpenID Connect Core 1.0, 5.3.1. UserInfo Request says as follows.
> The Access Token obtained from an OpenID Connect Authentication
> Request MUST be sent as a Bearer Token, per Section 2 of OAuth
> 2.0 Bearer Token Usage [RFC6750].
> If an access token is issued via 'OpenID Connect Authentication
> Request' (not via a pure OAuth 2.0 authorization request), 'scope'
> must contain 'openid' (184.108.40.206. Authentication Request). Therefore, my
> interpretation is that an access token to access a UserInfo endpoint
> must cover 'openid' scope.
> Is this interpretation appropriate? Or, Is it allowed to return user
> information from a UserInfo endpoint even when an access token
> presented by a client application does not cover 'openid' scope? How
> do existing implementations behave?
> Best Regards,
> Takahiko Kawasaki
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab