<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><br><br>=nat via iPhone</div><div><br>Feb 21, 2013 11:39$B!"(BJustin Richer <<a href="mailto:jricher@mitre.org">jricher@mitre.org</a>> $B$N%a%C%;!<%8(B:<br>
<br></div><blockquote type="cite"><div>
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<blockquote cite="mid:4E1F6AAD24975D4BA5B16804296739436747FF38@TK5EX14MBXC284.redmond.corp.microsoft.com" type="cite">
<div class="WordSection1">
<p class="MsoNormal"> John said that the one thing
that we could potentially drop as MTI is the "request"
parameter</p>
<p class="MsoNormal"> while keeping
"request_uri" as MTI</p>
</div>
</blockquote>
I thought that what we'd discussed was actually the other way
around? "Request" would be MTI but "request_uri" with the fetching
and whatnot was considered significantly more scary? It's entirely
possible that I missed some key part of this conversation, so please
correct me if I'm wrong.<br>
<br></div></blockquote><div><br></div>I was not in the call, but from our previous discussions, I believe it is the request_uri that we should keep. There are privacy and other reasons for that. <div><br></div><div>
=nat<br><blockquote type="cite"><div>
<blockquote cite="mid:4E1F6AAD24975D4BA5B16804296739436747FF38@TK5EX14MBXC284.redmond.corp.microsoft.com" type="cite">
<div class="WordSection1">
<p class="MsoNormal"> Tim and Justin felt that
UserInfo should be MTI for all non-self-issued OPs</p>
<p class="MsoNormal"> It makes
client code much easier</p>
<p class="MsoNormal"> It's actually
only required to return the "sub" claim</p>
<p class="MsoNormal"> We decided to
make this required for other than for non-self-issued OPs</p>
</div>
</blockquote>
<br>
John described it in a way that I think is actually cleaner: If you
issue an access_token, you have to have a UserInfo Endpoint to use
it at. This effectively says that anybody who just wants to deal in
ID-token land (like self-issued) doesn't have to deal with UserInfo
Endpoints. <br>
<br>
-- Justin<br>
</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Openid-specs-ab mailing list</span><br><span><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a></span><br>
<span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a></span><br></div></blockquote></div></body></html>