[Openid-specs-ab] [openid/connect] Messages - Add 'prn' claim to id_token to support JWT Assertion (issue #687)

Justin Richer issues-reply at bitbucket.org
Thu Dec 13 16:11:04 UTC 2012


--- you can reply above this line ---

New issue 687: Messages - Add 'prn' claim to id_token to support JWT Assertion
https://bitbucket.org/openid/connect/issue/687/messages-add-prn-claim-to-id_token-to

Justin Richer:

In an on-list discussion, I suggested using the JWT Assertion grant as a method of id token renewal:

http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20121105/002506.html

In order to fulfil the parsing requirements of the JWT Bearer Assertion, the id_token would need a 'prn' field representing the user. Right now, this is a role being fulfilled by the 'user_id' field, and adding a 'prn' field (which I've done in my testing environment) with the same information would be needlessly redundant. However, it's the only field missing from the id_token being usable in a JWT Bearer Assertion, and it would be useful to be able to treat the id_token like a generic JWT in many circumstances.

Alternatively, this begs the question of why does the id_token need a 'user_id' field if JWT already defines something for this? I believe the answer is that the id_token definition predates JWT having the 'prn' field, but I'm not positive. I also believe that 'user_id' reads much better than 'prn' (unless you're a SAML nerd). I've never been a fan of JWT's short names, either, but that's besides the point.


--

This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.


More information about the Openid-specs-ab mailing list