Ryo is not suggesting to create another token, I think. He is suggesting to get those claims into id_token. <div><br></div><div>Is that correct, Ryo? </div><div><br></div><div>Nat<br><br><div class="gmail_quote">On Thu, Jun 7, 2012 at 4:55 PM, Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Using a new response type would make the specification and implementations more complicated - not simpler. That's why the working group decided to add the claims to the ID Token - not create yet another token. We're already getting serious push-back on having a second one. Adding a third one would cause many people to write us off as building something WAY too complex - at least as I see it. Reread <a href="http://hg.openid.net/connect/issue/521" target="_blank">http://hg.openid.net/connect/issue/521</a> for one such comment we've already received that I transcribed.<br>
<br>
It's a simplification to allow all claims to be returned in one token. Suggesting three, while "logical", in practice, is probably more complexity than implementers will be willing to put up with! I feel very strongly about this.<br>
<br>
Complexity is the enemy of adoption.<br>
<span class="HOEnZb"><font color="#888888"><br>
-- Mike<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
-----Original Message-----<br>
From: <a href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>] On Behalf Of Ryo Ito<br>
Sent: Thursday, June 07, 2012 12:41 AM<br>
To: <a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
Subject: Re: [Openid-specs-ab] Please respond: poll on claims_in_id_token switch in the scope<br>
<br>
1. b)<br>
<br>
2. b)<br>
<br>
3. a)<br>
<br>
I think that response_type params allows the flexible definition.<br>
"id_token userinfo" means that id_token includes user claims.<br>
If more detailed claims control is necessary, RP uses Request Object.<br>
<br>
Ryo.<br>
<br>
2012/6/7 Nat Sakimura <<a href="mailto:sakimura@gmail.com">sakimura@gmail.com</a>>:<br>
> I would like to take this issue to a closure quickly.<br>
> These issues were discussed at F2F on May 1.<br>
> However, that was only among the f2f participant.<br>
> I understand the current comments are from those who were not at F2F,<br>
> and implementers' comments from those implementing it.<br>
> I would appreciate a quick response to the following questions so to<br>
> sum up a bit to help the progress in this issue:<br>
><br>
> 1. Please indicate which is your preferred way.<br>
><br>
> a) Using claims_in_id_token switch in the "scope"<br>
> b) Using a new response type.<br>
><br>
> Note: on May 1 F2F, 1-a) was chosen. This is how the current draft<br>
> was prepared. (cf. issue #561)<br>
><br>
> 2. If 1-b) is chosen, which do you prefer:<br>
><br>
> a) A combined response type: e.g., id_token_with_userinfo<br>
> b) combination of id_token and userinfo<br>
><br>
> 3. As a method for returning userinfo claims in the front channel,<br>
> which do you prefer?<br>
><br>
> a) Claims in id_token<br>
> b) separate userinfo token with its metadata in id_token?<br>
><br>
> Note: At the F2F, a) was chosen.<br>
><br>
> Thanks for your cooperation.<br>
><br>
> Nat Sakimura<br>
><br>
> On 2012/06/07, at 15:29, Roland Hedberg <<a href="mailto:roland.hedberg@adm.umu.se">roland.hedberg@adm.umu.se</a>> wrote:<br>
><br>
>><br>
>> 7 jun 2012 kl. 07:40 skrev nov matake:<br>
>><br>
>>> I'm OK with both making single "id_token_with_userinfo" response type or combination of "id_token" and "userinfo".<br>
>><br>
>><br>
>> I'm definitely in favor of the later.<br>
>> That is letting 'id_token' contain metadata about the userinfo and the authentication, and 'userinfo' pure user info.<br>
>> Similar to the structure of the openid request object.<br>
>><br>
>> -- Roland<br>
>> ------------------------------------------------------<br>
>> Roland Hedberg<br>
>> IT Architect/Senior Researcher<br>
>> ICT Services and System Development (ITS) Umeċ University<br>
>> SE-901 87 Umeċ, Sweden<br>
>> Phone <a href="tel:%2B46%2090%20786%2068%2044" value="+46907866844">+46 90 786 68 44</a><br>
>> Mobile <a href="tel:%2B46%2070%20696%2068%2044" value="+46706966844">+46 70 696 68 44</a><br>
>> <a href="http://www.its.umu.se" target="_blank">www.its.umu.se</a><br>
>><br>
>> _______________________________________________<br>
>> Openid-specs-ab mailing list<br>
>> <a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
> _______________________________________________<br>
> Openid-specs-ab mailing list<br>
> <a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
<br>
<br>
--<br>
====================<br>
Ryo Ito<br>
Email : <a href="mailto:ritou.06@gmail.com">ritou.06@gmail.com</a><br>
====================<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
<br>
</div>