[Openid-specs-ab] JWT claims in signed UserInfo responses

Torsten Lodderstedt torsten at lodderstedt.net
Wed Nov 6 18:17:11 UTC 2013


I'm getting confused. I thought the reason to encrypt/sign UserInfo is 
to implement end2end message security. I don't see the UserInfo response 
as another kind of assertion intended to be passed around. The ID Token 
is intended for that purpose, right?

Therefore I don't see a need to add aud or iss claims to the UserInfo 
response.


Am 06.11.2013 02:29, schrieb Nat Sakimura:
> +1
> 
> And perhaps aud as well to prevent an accidental transfer to a third 
> party.
> It is not a MUST but still is a good practice.
> 
> =nat via iPhone
> 
> Nov 6, 2013 1:56、"Vladimir Dzhuvinov / NimbusDS" 
> <vladimir at nimbusds.com> のメッセージ:
> 
>> Hi guys,
>> 
>> For UserInfo responses encoded as JWTs - which of the standard JWT
>> claims, apart from the mandatory "sub", do you choose to include?
>> 
>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-12#section-4.1
>> 
>> It appears to me that in order for the UserInfo to be suitable for
>> passing around as a JWT it should include at least the "iss" claim.
>> 
>> Thanks,
>> 
>> Vladimir
>> 
>> --
>> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list