[Openid-specs-ab] Please respond: poll on claims_in_id_token switch in the scope

hideki nara hdknr at ic-tact.co.jp
Thu Jun 7 20:23:04 UTC 2012


Hi,

Seems to be too late, but how about this:

- id_token includes  user info claims by default.
- if there is no  user info claims in id_token, RP should go to
UserInfo EP with access_token.
- OP can exclude user info claims if a response would be too large,
mainly  for Implicit flow.
- If the User doesn't want his user info to be available to RP,
   no access token will be returned and no user info claims are
included in id_token.
- Now we don't need  "claims_in_id_token" scope anymore.

---
hdknr

2012/6/7 Nat Sakimura <sakimura at gmail.com>:
> I would like to take this issue to a closure quickly.
> These issues were discussed at F2F on May 1.
> However, that was only among the f2f participant.
> I understand the current comments are from those who were not at F2F,
> and implementers' comments from those implementing it.
> I would appreciate a quick response to the following questions so to
> sum up a bit to help the progress in this issue:
>
> 1. Please indicate which is your preferred way.
>
>    a) Using claims_in_id_token switch in the "scope"
>    b) Using a new response type.
>
>    Note: on May 1 F2F, 1-a) was chosen. This is how the current draft
> was prepared. (cf. issue #561)
>
> 2. If 1-b) is chosen, which do you prefer:
>
>    a) A combined response type: e.g., id_token_with_userinfo
>    b) combination of id_token and userinfo
>
> 3. As a method for returning userinfo claims in the front channel,
> which do you prefer?
>
>     a) Claims in id_token
>     b) separate userinfo token with its metadata in id_token?
>
>     Note: At the F2F, a) was chosen.
>
> Thanks for your cooperation.
>
> Nat Sakimura
>
> On 2012/06/07, at 15:29, Roland Hedberg <roland.hedberg at adm.umu.se> wrote:
>
>>
>> 7 jun 2012 kl. 07:40 skrev nov matake:
>>
>>> I'm OK with both making single "id_token_with_userinfo" response type or combination of "id_token" and "userinfo".
>>
>>
>> I'm definitely in favor of the later.
>> That is letting 'id_token' contain metadata about the userinfo and the authentication, and 'userinfo' pure user info.
>> Similar to the structure of the openid request object.
>>
>> -- Roland
>> ------------------------------------------------------
>> Roland Hedberg
>> IT Architect/Senior Researcher
>> ICT Services and System Development (ITS)
>> Umeå University
>> SE-901 87 Umeå, Sweden
>> Phone +46 90 786 68 44
>> Mobile +46 70 696 68 44
>> www.its.umu.se
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list