[Openid-specs-ab] Inconsistency between user_id and prn claims - notice of upcoming breaking change
Mike Jones
Michael.Jones at microsoft.com
Tue Dec 18 19:51:47 UTC 2012
Just to remove any ambiguity, was your +1 for "prn" or "sub", Torsten?
-- Mike
-----Original Message-----
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Torsten Lodderstedt
Sent: Tuesday, December 18, 2012 10:54 AM
To: Justin Richer
Cc: openid-specs-ab at lists.openid.net
Subject: Re: [Openid-specs-ab] Inconsistency between user_id and prn claims - notice of upcoming breaking change
+1
Am 18.12.2012 16:10, schrieb Justin Richer:
> +1, though I prefer "sub" over "prn" as it reads better.
>
> -- Justin
>
> On 12/18/2012 03:37 AM, Vladimir Dzhuvinov / NimbusDS wrote:
>> +1 for prn. Consistency with OAuth JWT assertion makes good sense.
>>
>> Thanks,
>>
>> Vladimir
>>
>> --
>> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
>>
>>
>> -------- Original Message --------
>> Subject: [Openid-specs-ab] Inconsistency between user_id and prn
>> claims
>> - notice of upcoming breaking change
>> From: Mike Jones <Michael.Jones at microsoft.com>
>> Date: Tue, December 18, 2012 1:05 am
>> To: "openid-specs-ab at lists.openid.net"
>> <openid-specs-ab at lists.openid.net>
>> Cc: "openid-connect-interop at googlegroups.com"
>> <openid-connect-interop at googlegroups.com>
>>
>> Mitre and Microsoft implementers have both recently independently
>> pointed out that an ID Token is not currently usable as an OAuth JWT
>> Assertion because it uses the “user_id” claim to identify the subject
>> of the token, rather than the “prn” (principal) claim, as specified
>> in the OAuth JWT Assertion spec. This inconsistency is already
>> causing real problems/limitations for implementations. See
>> http://hg.openid.net/connect/issue/687 for more background on the issue.
>> This was discussed on the working group call today and it was
>> decided that while changing the “user_id” claim name now would be
>> painful, it would be more painful over time to keep having
>> implementer’s try to work around this inconsistency when they need to
>> use an ID Token as an OAuth JWT assertion. Therefore, we decided
>> that the specs should be changed so that an ID Token is a legal OAuth
>> JWT Assertion. The simplest way to do this would be to change all
>> uses of the claim name “user_id” to “prn”. Only the syntax would
>> change – not the meaning of the claim.
>> The other potential solution that was discussed was to change
>> both the names “user_id” and “prn” to “sub” (subject). While being a
>> (somewhat) more meaningful name, using “prn” was preferred because it
>> will involve a change only to the Connect specs – not also to the JWT
>> and OAuth JWT Assertion specs.
>> The participants in the working group call decided that we
>> should make this change, but we wanted to give clear notice to the
>> working group and interop participants of this upcoming breaking
>> change. If you would like to propose an alternative solution to the
>> inconsistency, please do so before the Thursday OpenID Connect call.
>> We plan to include this change in the upcoming implementer’s drafts.
>> -- Mike
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list