[Openid-specs-ab] JWT claims in signed UserInfo responses

Nat Sakimura sakimura at gmail.com
Wed Nov 6 19:28:45 UTC 2013


Right, it is not an assertion that you reuse for something.
Having said that, sub is only scoped to iss, and when storing the userinfo
result at the client, it probably is a good idea to store iss with it.

The reason for including aud also is not to use it as a token, but as a
metadata to prevent the accidental leak.


2013/11/6 Torsten Lodderstedt <torsten at lodderstedt.net>

> I'm getting confused. I thought the reason to encrypt/sign UserInfo is to
> implement end2end message security. I don't see the UserInfo response as
> another kind of assertion intended to be passed around. The ID Token is
> intended for that purpose, right?
>
> Therefore I don't see a need to add aud or iss claims to the UserInfo
> response.
>
>
> Am 06.11.2013 02:29, schrieb Nat Sakimura:
>
>  +1
>>
>> And perhaps aud as well to prevent an accidental transfer to a third
>> party.
>> It is not a MUST but still is a good practice.
>>
>> =nat via iPhone
>>
>> Nov 6, 2013 1:56、"Vladimir Dzhuvinov / NimbusDS" <vladimir at nimbusds.com>
>> のメッセージ:
>>
>>  Hi guys,
>>>
>>> For UserInfo responses encoded as JWTs - which of the standard JWT
>>> claims, apart from the mandatory "sub", do you choose to include?
>>>
>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-
>>> token-12#section-4.1
>>>
>>> It appears to me that in order for the UserInfo to be suitable for
>>> passing around as a JWT it should include at least the "iss" claim.
>>>
>>> Thanks,
>>>
>>> Vladimir
>>>
>>> --
>>> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131106/6eb10da1/attachment.html>


More information about the Openid-specs-ab mailing list