[Openid-specs-ab] Inconsistency between user_id and prn claims - notice of upcoming breaking change
Torsten Lodderstedt
torsten at lodderstedt.net
Tue Dec 18 18:53:31 UTC 2012
+1
Am 18.12.2012 16:10, schrieb Justin Richer:
> +1, though I prefer "sub" over "prn" as it reads better.
>
> -- Justin
>
> On 12/18/2012 03:37 AM, Vladimir Dzhuvinov / NimbusDS wrote:
>> +1 for prn. Consistency with OAuth JWT assertion makes good sense.
>>
>> Thanks,
>>
>> Vladimir
>>
>> --
>> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
>>
>>
>> -------- Original Message --------
>> Subject: [Openid-specs-ab] Inconsistency between user_id and prn claims
>> - notice of upcoming breaking change
>> From: Mike Jones <Michael.Jones at microsoft.com>
>> Date: Tue, December 18, 2012 1:05 am
>> To: "openid-specs-ab at lists.openid.net"
>> <openid-specs-ab at lists.openid.net>
>> Cc: "openid-connect-interop at googlegroups.com"
>> <openid-connect-interop at googlegroups.com>
>>
>> Mitre and Microsoft implementers have both recently independently
>> pointed out that an ID Token is not currently usable as an OAuth JWT
>> Assertion because it uses the “user_id” claim to identify the
>> subject of the token, rather than the “prn” (principal) claim, as
>> specified in the OAuth JWT Assertion spec. This inconsistency is
>> already causing real problems/limitations for implementations. See
>> http://hg.openid.net/connect/issue/687 for more background on the issue.
>> This was discussed on the working group call today and it was
>> decided
>> that while changing the “user_id” claim name now would be painful,
>> it would be more painful over time to keep having implementer’s try to
>> work around this inconsistency when they need to use an ID Token as an
>> OAuth JWT assertion. Therefore, we decided that the specs should be
>> changed so that an ID Token is a legal OAuth JWT Assertion. The
>> simplest way to do this would be to change all uses of the claim name
>> “user_id” to “prn”. Only the syntax would change – not the
>> meaning of the claim.
>> The other potential solution that was discussed was to change
>> both the
>> names “user_id” and “prn” to “sub” (subject). While being a
>> (somewhat) more meaningful name, using “prn” was preferred because
>> it will involve a change only to the Connect specs – not also to the
>> JWT and OAuth JWT Assertion specs.
>> The participants in the working group call decided that we
>> should make
>> this change, but we wanted to give clear notice to the working group and
>> interop participants of this upcoming breaking change. If you would
>> like to propose an alternative solution to the inconsistency, please do
>> so before the Thursday OpenID Connect call. We plan to include this
>> change in the upcoming implementer’s drafts.
>> -- Mike
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list