[Openid-specs-ab] JWT claims in signed UserInfo responses
torsten at lodderstedt.net
Wed Nov 6 18:17:11 UTC 2013
I'm getting confused. I thought the reason to encrypt/sign UserInfo is
to implement end2end message security. I don't see the UserInfo response
as another kind of assertion intended to be passed around. The ID Token
is intended for that purpose, right?
Therefore I don't see a need to add aud or iss claims to the UserInfo
Am 06.11.2013 02:29, schrieb Nat Sakimura:
> And perhaps aud as well to prevent an accidental transfer to a third
> It is not a MUST but still is a good practice.
> =nat via iPhone
> Nov 6, 2013 1:56、"Vladimir Dzhuvinov / NimbusDS"
> <vladimir at nimbusds.com> のメッセージ:
>> Hi guys,
>> For UserInfo responses encoded as JWTs - which of the standard JWT
>> claims, apart from the mandatory "sub", do you choose to include?
>> It appears to me that in order for the UserInfo to be suitable for
>> passing around as a JWT it should include at least the "iss" claim.
>> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
More information about the Openid-specs-ab