[Openid-specs-ab] JWT claims in signed UserInfo responses

Torsten Lodderstedt torsten at lodderstedt.net
Wed Nov 6 19:34:04 UTC 2013


Thanks for the clarification.



Nat Sakimura <sakimura at gmail.com> schrieb:
>Right, it is not an assertion that you reuse for something.
>Having said that, sub is only scoped to iss, and when storing the
>userinfo
>result at the client, it probably is a good idea to store iss with it.
>
>The reason for including aud also is not to use it as a token, but as a
>metadata to prevent the accidental leak.
>
>
>2013/11/6 Torsten Lodderstedt <torsten at lodderstedt.net>
>
>> I'm getting confused. I thought the reason to encrypt/sign UserInfo
>is to
>> implement end2end message security. I don't see the UserInfo response
>as
>> another kind of assertion intended to be passed around. The ID Token
>is
>> intended for that purpose, right?
>>
>> Therefore I don't see a need to add aud or iss claims to the UserInfo
>> response.
>>
>>
>> Am 06.11.2013 02:29, schrieb Nat Sakimura:
>>
>>  +1
>>>
>>> And perhaps aud as well to prevent an accidental transfer to a third
>>> party.
>>> It is not a MUST but still is a good practice.
>>>
>>> =nat via iPhone
>>>
>>> Nov 6, 2013 1:56、"Vladimir Dzhuvinov / NimbusDS"
><vladimir at nimbusds.com>
>>> のメッセージ:
>>>
>>>  Hi guys,
>>>>
>>>> For UserInfo responses encoded as JWTs - which of the standard JWT
>>>> claims, apart from the mandatory "sub", do you choose to include?
>>>>
>>>> http://tools.ietf.org/html/draft-ietf-oauth-json-web-
>>>> token-12#section-4.1
>>>>
>>>> It appears to me that in order for the UserInfo to be suitable for
>>>> passing around as a JWT it should include at least the "iss" claim.
>>>>
>>>> Thanks,
>>>>
>>>> Vladimir
>>>>
>>>> --
>>>> Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
>
>
>-- 
>Nat Sakimura (=nat)
>Chairman, OpenID Foundation
>http://nat.sakimura.org/
>@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131106/908a4140/attachment.html>


More information about the Openid-specs-ab mailing list