[Openid-specs-ab] Spec call notes 21-Feb-13
Nat Sakimura
sakimura at gmail.com
Fri Feb 22 02:14:21 UTC 2013
=nat via iPhone
Feb 21, 2013 11:39¡¢Justin Richer <jricher at mitre.org> ¤Î¥á¥Ã¥»©`¥¸:
John said that the one thing that we could potentially
drop as MTI is the "request" parameter
while keeping "request_uri" as MTI
I thought that what we'd discussed was actually the other way around?
"Request" would be MTI but "request_uri" with the fetching and whatnot was
considered significantly more scary? It's entirely possible that I missed
some key part of this conversation, so please correct me if I'm wrong.
I was not in the call, but from our previous discussions, I believe it is
the request_uri that we should keep. There are privacy and other reasons
for that.
=nat
Tim and Justin felt that UserInfo should be MTI for all
non-self-issued OPs
It makes client code much easier
It's actually only required to return the
"sub" claim
We decided to make this required for other
than for non-self-issued OPs
John described it in a way that I think is actually cleaner: If you issue
an access_token, you have to have a UserInfo Endpoint to use it at. This
effectively says that anybody who just wants to deal in ID-token land (like
self-issued) doesn't have to deal with UserInfo Endpoints.
-- Justin
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130221/bd51f44b/attachment.html>
More information about the Openid-specs-ab
mailing list