<div dir="ltr">Right, it is not an assertion that you reuse for something. <div>Having said that, sub is only scoped to iss, and when storing the userinfo result at the client, it probably is a good idea to store iss with it. </div>
<div><br></div><div>The reason for including aud also is not to use it as a token, but as a metadata to prevent the accidental leak. </div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/11/6 Torsten Lodderstedt <span dir="ltr"><<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm getting confused. I thought the reason to encrypt/sign UserInfo is to implement end2end message security. I don't see the UserInfo response as another kind of assertion intended to be passed around. The ID Token is intended for that purpose, right?<br>
<br>
Therefore I don't see a need to add aud or iss claims to the UserInfo response.<br>
<br>
<br>
Am <a href="tel:06.11.2013%2002" value="+81611201302" target="_blank">06.11.2013 02</a>:29, schrieb Nat Sakimura:<div class="HOEnZb"><div class="h5"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
+1<br>
<br>
And perhaps aud as well to prevent an accidental transfer to a third party.<br>
It is not a MUST but still is a good practice.<br>
<br>
=nat via iPhone<br>
<br>
Nov 6, 2013 1:56�$B!"�(B"Vladimir Dzhuvinov / NimbusDS" <<a href="mailto:vladimir@nimbusds.com" target="_blank">vladimir@nimbusds.com</a>> �$B$N%a%C%;!<%8�(B:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi guys,<br>
<br>
For UserInfo responses encoded as JWTs - which of the standard JWT<br>
claims, apart from the mandatory "sub", do you choose to include?<br>
<br>
<a href="http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-12#section-4.1" target="_blank">http://tools.ietf.org/html/<u></u>draft-ietf-oauth-json-web-<u></u>token-12#section-4.1</a><br>
<br>
It appears to me that in order for the UserInfo to be suitable for<br>
passing around as a JWT it should include at least the "iss" claim.<br>
<br>
Thanks,<br>
<br>
Vladimir<br>
<br>
--<br>
Vladimir Dzhuvinov : <a href="http://www.NimbusDS.com" target="_blank">www.NimbusDS.com</a> : <a href="mailto:vladimir@nimbusds.com" target="_blank">vladimir@nimbusds.com</a><br>
______________________________<u></u>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.<u></u>net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/<u></u>mailman/listinfo/openid-specs-<u></u>ab</a><br>
</blockquote>
______________________________<u></u>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.<u></u>net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/<u></u>mailman/listinfo/openid-specs-<u></u>ab</a><br>
</blockquote>
______________________________<u></u>_________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.<u></u>net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/<u></u>mailman/listinfo/openid-specs-<u></u>ab</a><br>
</div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>