[Openid-specs-ab] Question about an access token to access a UserInfo endpoint

Takahiko Kawasaki daru.tk at gmail.com
Tue Feb 9 22:40:45 UTC 2016


Dear Justin,

Thank you for your reply. I could confirm my interpretation was not wrong.
My implementation behaves in the same way. Thank you.

Best Regards,
Takahiko Kawasaki

2016-02-08 22:52 GMT+09:00 Nat Sakimura <sakimura at gmail.com>:

> +1
>
> 2016年2月8日(月) 21:53 Justin Richer <jricher at mit.edu>:
>
>> Your interpretation is correct, the token must have the "openid" scope.
>> Our implementation will return an error from the userinfo endpoint if a
>> token is used without the "openid" scope there.
>>
>>
>>  -- Justin
>>
>>
>> On 2/8/2016 3:37 AM, Takahiko Kawasaki wrote:
>>
>> Hello,
>>
>> I have a question about an access token to access a UserInfo endpoint.
>>
>> OpenID Connect Core 1.0, 5.3.1. UserInfo Request says as follows.
>>
>>     The Access Token obtained from an OpenID Connect Authentication
>>     Request MUST be sent as a Bearer Token, per Section 2 of OAuth
>>     2.0 Bearer Token Usage [RFC6750].
>>
>> If an access token is issued via 'OpenID Connect Authentication Request'
>> (not via a pure OAuth 2.0 authorization request), 'scope' must contain
>> 'openid' (3.1.2.1. Authentication Request). Therefore, my interpretation is
>> that an access token to access a UserInfo endpoint must cover 'openid'
>> scope.
>>
>> Is this interpretation appropriate? Or, Is it allowed to return user
>> information from a UserInfo endpoint even when an access token presented by
>> a client application does not cover 'openid' scope? How do existing
>> implementations behave?
>>
>> Best Regards,
>> Takahiko Kawasaki
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160210/82ef3353/attachment.html>


More information about the Openid-specs-ab mailing list