[Openid-specs-ab] Spec call notes 21-Feb-13
Justin Richer
jricher at mitre.org
Thu Feb 21 16:38:27 UTC 2013
> John said that the one thing that we could potentially
> drop as MTI is the "request" parameter
>
> while keeping "request_uri" as MTI
>
I thought that what we'd discussed was actually the other way around?
"Request" would be MTI but "request_uri" with the fetching and whatnot
was considered significantly more scary? It's entirely possible that I
missed some key part of this conversation, so please correct me if I'm
wrong.
> Tim and Justin felt that UserInfo should be MTI for all
> non-self-issued OPs
>
> It makes client code much easier
>
> It's actually only required to return
> the "sub" claim
>
> We decided to make this required for
> other than for non-self-issued OPs
>
John described it in a way that I think is actually cleaner: If you
issue an access_token, you have to have a UserInfo Endpoint to use it
at. This effectively says that anybody who just wants to deal in
ID-token land (like self-issued) doesn't have to deal with UserInfo
Endpoints.
-- Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130221/d7c88201/attachment.html>
More information about the Openid-specs-ab
mailing list