[Openid-specs-ab] user_id and domain
David Recordon
dr at fb.com
Wed Aug 10 06:09:03 UTC 2011
I guess I don't really understand the need for two distinct
endpoints...going to try and do a full read of the lite spec this week.
On 8/5/11 9:12 AM, "John Bradley" <ve7jtb at ve7jtb.com> wrote:
>I don't think it should be a superset, the information is used
>differently.
>
>The argument for having user id in user info is that it is a useful
>double check if you are using a access token that you stored, and also to
>prevent user tampering with claims by replacing the access token in the
>token flow.
>
>The problem is that we decided to call it id in the user info endpoint to
>be compatible with Facebook graph api.
>
>We decided to call it user_id in the id_token to prevent confusion with
>some sort of other id, and because some people don't like short names.
>
>I think we should make them both user_id.
>
>I don't think issuer is required in user info because you already know
>who the endpoint belongs to by accessing it.
>I am willing to liten to other scenarios where that might not be the case
>if people have them.
>
>John B.
>
>On 2011-08-05, at 12:02 PM, Breno de Medeiros wrote:
>
>> On Thu, Aug 4, 2011 at 19:17, Nat Sakimura <sakimura at gmail.com> wrote:
>>> In the current Lite draft, there is no issuer nor domain in the
>>>UserInfo
>>> response.
>>
>> I believe the issuer is in the token introspection endpoint, which is
>> necessary for sign-on as currently written.
>>
>> Should userinfo endpoint be a superset of tokeninfo?
>>
>>> That is what I was asking about.
>>> Also, in the current http-redirect draft, in the example, I found
>>>user_id
>>> and domain in the token response.
>>> This was another question. Is that just a typo or something?
>>> =nat
>>>
>>> On Fri, Aug 5, 2011 at 11:12 AM, John Bradley <ve7jtb at ve7jtb.com>
>>>wrote:
>>>>
>>>> The domain is the issuer in the id_token. I am not following the
>>>> question.
>>>> There should be no difference between lite and full in that respect.
>>>> On 2011-08-04, at 10:02 PM, Nat Sakimura wrote:
>>>>
>>>> I suppose even in Lite spec, the UserInfo has to return domain in
>>>>addition
>>>> to user_id.
>>>> In the Standard spec, do we want to return user_id and domain as part
>>>>of
>>>> the token endpoint response as well?
>>>>
>>>> --
>>>> Nat Sakimura (=nat)
>>>> Chairman, OpenID Foundation
>>>> http://nat.sakimura.org/
>>>> @_nat_en
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>>
>>>
>>>
>>> --
>>> Nat Sakimura (=nat)
>>> Chairman, OpenID Foundation
>>> http://nat.sakimura.org/
>>> @_nat_en
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>>>
>>
>>
>>
>> --
>> --Breno
>
>_______________________________________________
>Openid-specs-ab mailing list
>Openid-specs-ab at lists.openid.net
>http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list