[Openid-specs-ab] Question about an access token to access a UserInfo endpoint

Nat Sakimura sakimura at gmail.com
Mon Feb 8 13:52:30 UTC 2016


+1

2016年2月8日(月) 21:53 Justin Richer <jricher at mit.edu>:

> Your interpretation is correct, the token must have the "openid" scope.
> Our implementation will return an error from the userinfo endpoint if a
> token is used without the "openid" scope there.
>
>
>  -- Justin
>
>
> On 2/8/2016 3:37 AM, Takahiko Kawasaki wrote:
>
> Hello,
>
> I have a question about an access token to access a UserInfo endpoint.
>
> OpenID Connect Core 1.0, 5.3.1. UserInfo Request says as follows.
>
>     The Access Token obtained from an OpenID Connect Authentication
>     Request MUST be sent as a Bearer Token, per Section 2 of OAuth
>     2.0 Bearer Token Usage [RFC6750].
>
> If an access token is issued via 'OpenID Connect Authentication Request'
> (not via a pure OAuth 2.0 authorization request), 'scope' must contain
> 'openid' (3.1.2.1. Authentication Request). Therefore, my interpretation is
> that an access token to access a UserInfo endpoint must cover 'openid'
> scope.
>
> Is this interpretation appropriate? Or, Is it allowed to return user
> information from a UserInfo endpoint even when an access token presented by
> a client application does not cover 'openid' scope? How do existing
> implementations behave?
>
> Best Regards,
> Takahiko Kawasaki
>
>
> _______________________________________________
> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160208/508f5790/attachment.html>


More information about the Openid-specs-ab mailing list