[Openid-specs-ab] Inconsistency between user_id and prn claims - notice of upcoming breaking change

Justin Richer jricher at mitre.org
Tue Dec 18 15:10:15 UTC 2012 

+1, though I prefer "sub" over "prn" as it reads better.

  -- Justin

On 12/18/2012 03:37 AM, Vladimir Dzhuvinov / NimbusDS wrote:
> +1 for prn. Consistency with OAuth JWT assertion makes good sense.
>
> Thanks,
>
> Vladimir
>
> --
> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
>
>
> -------- Original Message --------
> Subject: [Openid-specs-ab] Inconsistency between user_id and prn claims
> - notice of upcoming breaking change
> From: Mike Jones <Michael.Jones at microsoft.com>
> Date: Tue, December 18, 2012 1:05 am
> To: "openid-specs-ab at lists.openid.net"
> <openid-specs-ab at lists.openid.net>
> Cc: "openid-connect-interop at googlegroups.com"
> <openid-connect-interop at googlegroups.com>
>
>    Mitre and Microsoft implementers have both recently independently
> pointed out that an ID Token is not currently usable as an OAuth JWT
> Assertion because it uses the “user_id” claim to identify the
> subject of the token, rather than the “prn” (principal) claim, as
> specified in the OAuth JWT Assertion spec.  This inconsistency is
> already causing real problems/limitations for implementations.  See
> http://hg.openid.net/connect/issue/687 for more background on the issue.
>    
>   This was discussed on the working group call today and it was decided
> that while changing the “user_id” claim name now would be painful,
> it would be more painful over time to keep having implementer’s try to
> work around this inconsistency when they need to use an ID Token as an
> OAuth JWT assertion.  Therefore, we decided that the specs should be
> changed so that an ID Token is a legal OAuth JWT Assertion.  The
> simplest way to do this would be to change all uses of the claim name
> “user_id” to “prn”.  Only the syntax would change – not the
> meaning of the claim.
>    
>   The other potential solution that was discussed was to change both the
> names “user_id” and “prn” to “sub” (subject).  While being a
> (somewhat) more meaningful name, using “prn” was preferred because
> it will involve a change only to the Connect specs – not also to the
> JWT and OAuth JWT Assertion specs.
>    
>   The participants in the working group call decided that we should make
> this change, but we wanted to give clear notice to the working group and
> interop participants of this upcoming breaking change.  If you would
> like to propose an alternative solution to the inconsistency, please do
> so before the Thursday OpenID Connect call.  We plan to include this
> change in the upcoming implementer’s drafts.
>    
>                                                                   -- Mike
>    
>   
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list