[Openid-specs-ab] Connect Flows and Userinfo Endpoint
John Bradley
ve7jtb at ve7jtb.com
Fri Jan 7 15:24:16 UTC 2011
One of the motivating factors of the JWT is that it can be a oAuth access token.
It seems simpler to include claims like userID in the signed access token, rather than having to include a separate access token inside.
The access token is for the user info endpoint in ether case.
Accessing public info at the user-info endpoint without a token should not be impacted by the access token format. Am I missing something?
If you get the access token through some other flow there is no particular issue with it being a JWT or some other format as long as the protected resource understands it.
Or are you talking about the protected resource being a PoCo endpoint directly?
John B.
On 2011-01-07, at 6:39 AM, Nat Sakimura wrote:
> Hmmm. That is interesting. So, it means that I should not optimize for the OpenID/OAuth use cases. The two cases below are different use cases than the OpenID/OAuth protected resource access. Is there any other use cases that people have in mind?
>
> On Fri, Jan 7, 2011 at 4:43 PM, David Recordon <dr at fb.com> wrote:
> I see two cases which may not work here:
> you're requesting public data in which case just a userid is required and no access token or JWT
> For accessing public data, one can always ask without a token.
> (I actually like the graph.facebook.com/username style access.)
> Using JWT received as a token to access restricted content does not prevent this behavior.
> Am I missing something? (In the older version of the connect proposal, it was returning such URL instead of opaque user_id. That was good.) So this does not seem to be a blocking factor.
> you got the access token via a non-OpenID OAuth 2.0 flow. I can imagine a PoCo endpoint doubling as the OpenID user info API.
> This probably is more relevant.
>
> Then the question would gets to the point Hideki pointed out:
> why cannot we make "signed" as we call now the "access_token" with token_type=signed_openid?
> It will save us from defining an OAuth extension variable called "signed" and more OAuth2.0 compliant.
>
> (As a side issue: I started to feel that we probably do not need "code" in the OAuth2.0 spec., but just "access_token" with type="authz_code". "code" is just another type of access_token which can only be used once and at the authz endpoint.)
>
>
>
> On 1/6/11 11:40 PM, "Nat Sakimura" <sakimura at gmail.com> wrote:
>
> Hi guys.
>
> Do you have objection to passing the entire JWT ("signed") instead of access_token and user_id extracted to the UserInfo endpoint?
> That seems to be a lot simpler.
>
> =nat
>
>
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
> http://twitter.com/_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110107/ef4b7bbd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110107/ef4b7bbd/attachment.p7s>
More information about the Openid-specs-ab
mailing list