<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Your interpretation is correct, the token must have the "openid"
scope. Our implementation will return an error from the userinfo
endpoint if a token is used without the "openid" scope there.<br>
<br>
-- Justin<br>
<br>
<div class="moz-cite-prefix">On 2/8/2016 3:37 AM, Takahiko Kawasaki
wrote:<br>
</div>
<blockquote
cite="mid:CAGpwqP9TWxAHj3tMy7cDf3pca0nQSCTzFKBfA+yGnFEhD+cUiw@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<div dir="ltr">Hello,<br>
<br>
I have a question about an access token to access a UserInfo
endpoint.<br>
<br>
OpenID Connect Core 1.0, 5.3.1. UserInfo Request says as
follows.<br>
<br>
The Access Token obtained from an OpenID Connect
Authentication<br>
Request MUST be sent as a Bearer Token, per Section 2 of
OAuth<br>
2.0 Bearer Token Usage [RFC6750]. <br>
<br>
If an access token is issued via 'OpenID Connect Authentication
Request' (not via a pure OAuth 2.0 authorization request),
'scope' must contain 'openid' (3.1.2.1. Authentication Request).
Therefore, my interpretation is that an access token to access a
UserInfo endpoint must cover 'openid' scope.<br>
<br>
Is this interpretation appropriate? Or, Is it allowed to return
user information from a UserInfo endpoint even when an access
token presented by a client application does not cover 'openid'
scope? How do existing implementations behave?<br>
<br>
Best Regards,<br>
Takahiko Kawasaki<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>