<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 12/19/2012 03:07 PM, Breno de
Medeiros wrote:<br>
</div>
<blockquote
cite="mid:CAAJ++qHRLx-3XU+Ywm_yaRASL57XWQic8ZjF6sQDcrOeCpc=sw@mail.gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div style="font-family: arial, helvetica, sans-serif; font-size:
10pt">
<div dir="ltr">
<div class="gmail_default" style=""><br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Dec 19, 2012 at 11:09 AM,
Mike Jones <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:Michael.Jones@microsoft.com"
target="_blank">Michael.Jones@microsoft.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">While
of course you’re right that “prn” isn’t highly
intuitive, neither are the contents of this
particular claim. It will contain values not
intended for consumption by humans, such as
24400320 or
AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4 – not
values intended for human consumption such as
<a moz-do-not-send="true"
href="mailto:ben@livefyre.com" target="_blank">ben@livefyre.com</a>.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">UID
(or for that matter user_id) don’t work in the
general case because the principal/subject may
not be a user. It could be an OAuth client, a
service, etc.</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">FYI,
“sbj” was discussed and rejected during the call
because it’s really not any more intuitive than
“prn” and if we use anything other than “prn”
we’d have to change two IETF specs as well (JWT
and the OAuth JWT Assertion Profile).</span></p>
</div>
</div>
</blockquote>
<div><br>
</div>
<div style="">But neither of these other specs are final,
right?</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
Correct, and I think that Mike's claim is a little bit of a red
herring. Making a change will have some friction, but not enough for
it to be impossible. I would rather us have something that is
intuitive to the intended audience -- developers. "sub", to me, is
more common and understandable than "prn". But I'm also not coming
from a SAML or even a general Security Nerd background, where
"principal" is used more often.<br>
<br>
-- Justin<br>
<br>
<blockquote
cite="mid:CAAJ++qHRLx-3XU+Ywm_yaRASL57XWQic8ZjF6sQDcrOeCpc=sw@mail.gmail.com"
type="cite">
<div style="font-family: arial, helvetica, sans-serif; font-size:
10pt">
<div dir="ltr">
<div class="gmail_extra">
<div class="gmail_quote">
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="blue" vlink="purple" lang="EN-US">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">
-- Mike</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a moz-do-not-send="true"
href="mailto:openid-connect-interop@googlegroups.com"
target="_blank">openid-connect-interop@googlegroups.com</a>
[mailto:<a moz-do-not-send="true"
href="mailto:openid-connect-interop@googlegroups.com"
target="_blank">openid-connect-interop@googlegroups.com</a>]
<b>On Behalf Of </b>Benjamin Goering<br>
<b>Sent:</b> Tuesday, December 18, 2012 9:37 PM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:openid-connect-interop@googlegroups.com"
target="_blank">openid-connect-interop@googlegroups.com</a><br>
<b>Cc:</b> <a moz-do-not-send="true"
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Subject:</b> Re: Inconsistency between
user_id and prn claims - notice of upcoming
breaking change</span></p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">`prn` doesn't map to anything
intuitive to most non-expert hackers in the
industry (IMHO), and `subj` would be better than
`sub` (subscription). Is `uid` an option given
knowledge of these other specs? Just my naive
opinion.</p>
<div>
<div class="h5"><br>
<br>
On Monday, December 17, 2012 5:05:26 PM UTC-8,
Mike Jones wrote:</div>
</div>
<div>
<div class="h5">
<div>
<div>
<p class="MsoNormal">Mitre and Microsoft
implementers have both recently
independently pointed out that an ID Token
is not currently usable as an OAuth JWT
Assertion because it uses the “user_id”
claim to identify the subject of the
token, rather than the “prn” (principal)
claim, as specified in the OAuth JWT
Assertion spec. This inconsistency is
already causing real problems/limitations
for implementations. See
<a moz-do-not-send="true"
href="http://hg.openid.net/connect/issue/687"
target="_blank">http://hg.openid.net/connect/issue/687</a>
for more background on the issue.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">This was discussed on
the working group call today and it was
decided that while changing the “user_id”
claim name now would be painful, it would
be more painful over time to keep having
implementer’s try to work around this
inconsistency when they need to use an ID
Token as an OAuth JWT assertion.
Therefore, we decided that the specs
should be changed so that an ID Token is a
legal OAuth JWT Assertion. The simplest
way to do this would be to change all uses
of the claim name “user_id” to “prn”.
Only the syntax would change – not the
meaning of the claim.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The other potential
solution that was discussed was to change
both the names “user_id” and “prn” to
“sub” (subject). While being a (somewhat)
more meaningful name, using “prn” was
preferred because it will involve a change
only to the Connect specs – not also to
the JWT and OAuth JWT Assertion specs.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">The participants in the
working group call decided that we should
make this change, but we wanted to give
clear notice to the working group and
interop participants of this upcoming
breaking change. If you would like to
propose an alternative solution to the
inconsistency, please do so before the
Thursday OpenID Connect call. We plan to
include this change in the upcoming
implementer’s drafts.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">
-- Mike</p>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a moz-do-not-send="true"
href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a moz-do-not-send="true"
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
--Breno<br>
<br>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>