<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<o:p></o:p>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B16804296739436747FF38@TK5EX14MBXC284.redmond.corp.microsoft.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"> John said that the one thing
that we could potentially drop as MTI is the "request"
parameter<o:p></o:p></p>
<p class="MsoNormal"> while keeping
"request_uri" as MTI<o:p></o:p></p>
</div>
</blockquote>
I thought that what we'd discussed was actually the other way
around? "Request" would be MTI but "request_uri" with the fetching
and whatnot was considered significantly more scary? It's entirely
possible that I missed some key part of this conversation, so please
correct me if I'm wrong.<br>
<br>
<blockquote
cite="mid:4E1F6AAD24975D4BA5B16804296739436747FF38@TK5EX14MBXC284.redmond.corp.microsoft.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"> Tim and Justin felt that
UserInfo should be MTI for all non-self-issued OPs<o:p></o:p></p>
<p class="MsoNormal"> It makes
client code much easier<o:p></o:p></p>
<p class="MsoNormal"> It's actually
only required to return the "sub" claim<o:p></o:p></p>
<p class="MsoNormal"> We decided to
make this required for other than for non-self-issued OPs<o:p></o:p></p>
</div>
</blockquote>
<br>
John described it in a way that I think is actually cleaner: If you
issue an access_token, you have to have a UserInfo Endpoint to use
it at. This effectively says that anybody who just wants to deal in
ID-token land (like self-issued) doesn't have to deal with UserInfo
Endpoints. <br>
<br>
-- Justin<br>
</body>
</html>