<div style="font-family: arial, helvetica, sans-serif; font-size: 10pt"><div dir="ltr"><div class="gmail_default" style>While the rename represents another breaking change to Google's early implementation and will require additional transition planning, I can't say that I am against the universal usage of 'prn'. I expect that developers and deployers will appreciate being able to expect 'prn' in all their interactions.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Dec 18, 2012 at 11:51 AM, Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Just to remove any ambiguity, was your +1 for "prn" or "sub", Torsten?<br>
<span class="HOEnZb"><font color="#888888"><br>
-- Mike<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
-----Original Message-----<br>
From: <a href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net">openid-specs-ab-bounces@lists.openid.net</a>] On Behalf Of Torsten Lodderstedt<br>
Sent: Tuesday, December 18, 2012 10:54 AM<br>
To: Justin Richer<br>
Cc: <a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a><br>
Subject: Re: [Openid-specs-ab] Inconsistency between user_id and prn claims - notice of upcoming breaking change<br>
<br>
+1<br>
<br>
Am 18.12.2012 16:10, schrieb Justin Richer:<br>
> +1, though I prefer "sub" over "prn" as it reads better.<br>
><br>
> -- Justin<br>
><br>
> On 12/18/2012 03:37 AM, Vladimir Dzhuvinov / NimbusDS wrote:<br>
>> +1 for prn. Consistency with OAuth JWT assertion makes good sense.<br>
>><br>
>> Thanks,<br>
>><br>
>> Vladimir<br>
>><br>
>> --<br>
>> Vladimir Dzhuvinov : <a href="http://www.NimbusDS.com" target="_blank">www.NimbusDS.com</a> : <a href="mailto:vladimir@nimbusds.com">vladimir@nimbusds.com</a><br>
>><br>
>><br>
>> -------- Original Message --------<br>
>> Subject: [Openid-specs-ab] Inconsistency between user_id and prn<br>
>> claims<br>
>> - notice of upcoming breaking change<br>
>> From: Mike Jones <<a href="mailto:Michael.Jones@microsoft.com">Michael.Jones@microsoft.com</a>><br>
>> Date: Tue, December 18, 2012 1:05 am<br>
>> To: "<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>"<br>
>> <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>><br>
>> Cc: "<a href="mailto:openid-connect-interop@googlegroups.com">openid-connect-interop@googlegroups.com</a>"<br>
>> <<a href="mailto:openid-connect-interop@googlegroups.com">openid-connect-interop@googlegroups.com</a>><br>
>><br>
>> Mitre and Microsoft implementers have both recently independently<br>
>> pointed out that an ID Token is not currently usable as an OAuth JWT<br>
>> Assertion because it uses the “user_id” claim to identify the subject<br>
>> of the token, rather than the “prn” (principal) claim, as specified<br>
>> in the OAuth JWT Assertion spec. This inconsistency is already<br>
>> causing real problems/limitations for implementations. See<br>
>> <a href="http://hg.openid.net/connect/issue/687" target="_blank">http://hg.openid.net/connect/issue/687</a> for more background on the issue.<br>
>> This was discussed on the working group call today and it was<br>
>> decided that while changing the “user_id” claim name now would be<br>
>> painful, it would be more painful over time to keep having<br>
>> implementer’s try to work around this inconsistency when they need to<br>
>> use an ID Token as an OAuth JWT assertion. Therefore, we decided<br>
>> that the specs should be changed so that an ID Token is a legal OAuth<br>
>> JWT Assertion. The simplest way to do this would be to change all<br>
>> uses of the claim name “user_id” to “prn”. Only the syntax would<br>
>> change – not the meaning of the claim.<br>
>> The other potential solution that was discussed was to change<br>
>> both the names “user_id” and “prn” to “sub” (subject). While being a<br>
>> (somewhat) more meaningful name, using “prn” was preferred because it<br>
>> will involve a change only to the Connect specs – not also to the JWT<br>
>> and OAuth JWT Assertion specs.<br>
>> The participants in the working group call decided that we<br>
>> should make this change, but we wanted to give clear notice to the<br>
>> working group and interop participants of this upcoming breaking<br>
>> change. If you would like to propose an alternative solution to the<br>
>> inconsistency, please do so before the Thursday OpenID Connect call.<br>
>> We plan to include this change in the upcoming implementer’s drafts.<br>
>> -- Mike<br>
>> _______________________________________________<br>
>> Openid-specs-ab mailing list<br>
>> <a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
>> _______________________________________________<br>
>> Openid-specs-ab mailing list<br>
>> <a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
><br>
> _______________________________________________<br>
> Openid-specs-ab mailing list<br>
> <a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>--Breno<br><br>
</div></div>