[Openid-specs-ab] Inconsistency between user_id and prn claims - notice of upcoming breaking change

Vladimir Dzhuvinov / NimbusDS vladimir at nimbusds.com
Tue Dec 18 08:37:34 UTC 2012 

+1 for prn. Consistency with OAuth JWT assertion makes good sense.

Thanks,

Vladimir

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com


-------- Original Message --------
Subject: [Openid-specs-ab] Inconsistency between user_id and prn claims
- notice of upcoming breaking change
From: Mike Jones <Michael.Jones at microsoft.com>
Date: Tue, December 18, 2012 1:05 am
To: "openid-specs-ab at lists.openid.net"
<openid-specs-ab at lists.openid.net>
Cc: "openid-connect-interop at googlegroups.com"
<openid-connect-interop at googlegroups.com>

  Mitre and Microsoft implementers have both recently independently
pointed out that an ID Token is not currently usable as an OAuth JWT
Assertion because it uses the “user_id” claim to identify the
subject of the token, rather than the “prn” (principal) claim, as
specified in the OAuth JWT Assertion spec.  This inconsistency is
already causing real problems/limitations for implementations.  See
http://hg.openid.net/connect/issue/687 for more background on the issue.
  
 This was discussed on the working group call today and it was decided
that while changing the “user_id” claim name now would be painful,
it would be more painful over time to keep having implementer’s try to
work around this inconsistency when they need to use an ID Token as an
OAuth JWT assertion.  Therefore, we decided that the specs should be
changed so that an ID Token is a legal OAuth JWT Assertion.  The
simplest way to do this would be to change all uses of the claim name
“user_id” to “prn”.  Only the syntax would change – not the
meaning of the claim.
  
 The other potential solution that was discussed was to change both the
names “user_id” and “prn” to “sub” (subject).  While being a
(somewhat) more meaningful name, using “prn” was preferred because
it will involve a change only to the Connect specs – not also to the
JWT and OAuth JWT Assertion specs.
  
 The participants in the working group call decided that we should make
this change, but we wanted to give clear notice to the working group and
interop participants of this upcoming breaking change.  If you would
like to propose an alternative solution to the inconsistency, please do
so before the Thursday OpenID Connect call.  We plan to include this
change in the upcoming implementer’s drafts.
  
                                                                 -- Mike
  
 
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list