<div dir="ltr"><div><br></div><div>Obviously, both iss and aud MAY be included as this is allowed in the current draft. However, perhaps some stronger language could be worthwhile. Even if it is not in a normative language, perhaps some NOTE can be useful. </div>
<div><br></div><div>My take is: <br><div><br></div><div>iss is SHOULD. sub is scoped to iss, and to avoid any chance of conflating one sub to another identical one from another iss, should be there. It could be RECOMMENDED instead of SHOULD. </div>
<div><br></div><div>aud is RECOMMENDED. User's consent is given to the aud. It would be easier for the service to manage the included personal data if there is an explicit aud. If not, it has to do it itself. </div></div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/11/27 Mike Jones <span dir="ltr"><<a href="mailto:Michael.Jones@microsoft.com" target="_blank">Michael.Jones@microsoft.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">So where did we land on this? If the UserInfo response is a signed JWT, did we decide to require an “iss” claim that matches the OP’s issuer value?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">What about “aud”? Should we say that an “aud” claim MAY also be included? Or SHOULD be or MUST be?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">What if it’s encrypted but not signed (which I think is legal). Should these fields be there then too?<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> -- Mike<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div>
<div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a> [mailto:<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>]
<b>On Behalf Of </b>Torsten Lodderstedt<br>
<b>Sent:</b> Wednesday, November 06, 2013 11:34 AM<br>
<b>To:</b> Nat Sakimura<br>
<b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a></span></p><div class="im"><br>
<b>Subject:</b> Re: [Openid-specs-ab] JWT claims in signed UserInfo responses<u></u><u></u></div><p></p>
</div>
</div>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">Thanks for the clarification.<u></u><u></u></p><div><div class="h5">
<div>
<p class="MsoNormal"><br>
<br>
Nat Sakimura <<a href="mailto:sakimura@gmail.com" target="_blank">sakimura@gmail.com</a>> schrieb:<u></u><u></u></p>
<div>
<p class="MsoNormal">Right, it is not an assertion that you reuse for something. <u></u><u></u></p>
<div>
<p class="MsoNormal">Having said that, sub is only scoped to iss, and when storing the userinfo result at the client, it probably is a good idea to store iss with it. <u></u><u></u></p>
</div>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<div>
<p class="MsoNormal">The reason for including aud also is not to use it as a token, but as a metadata to prevent the accidental leak. <u></u><u></u></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><u></u> <u></u></p>
<div>
<p class="MsoNormal">2013/11/6 Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>><u></u><u></u></p>
<p class="MsoNormal">I'm getting confused. I thought the reason to encrypt/sign UserInfo is to implement end2end message security. I don't see the UserInfo response as another kind of assertion intended to be passed around. The ID Token is intended for that
purpose, right?<br>
<br>
Therefore I don't see a need to add aud or iss claims to the UserInfo response.<br>
<br>
<br>
Am <a href="tel:06.11.2013%2002" target="_blank">06.11.2013 02</a>:29, schrieb Nat Sakimura:<u></u><u></u></p>
<div>
<div>
<blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">+1<br>
<br>
And perhaps aud as well to prevent an accidental transfer to a third party.<br>
It is not a MUST but still is a good practice.<br>
<br>
=nat via iPhone<br>
<br>
Nov 6, 2013 1:56<span style="font-family:"MS Mincho"">�$B!"�(B</span>"Vladimir Dzhuvinov / NimbusDS" <<a href="mailto:vladimir@nimbusds.com" target="_blank">vladimir@nimbusds.com</a>>
<span style="font-family:"MS Mincho"">�$B$N%a%C%;!<%8�(B</span>:<u></u><u></u></p>
<p class="MsoNormal">Hi guys,<br>
<br>
For UserInfo responses encoded as JWTs - which of the standard JWT<br>
claims, apart from the mandatory "sub", do you choose to include?<br>
<br>
<a href="http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-12#section-4.1" target="_blank">http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-12#section-4.1</a><br>
<br>
It appears to me that in order for the UserInfo to be suitable for<br>
passing around as a JWT it should include at least the "iss" claim.<br>
<br>
Thanks,<br>
<br>
Vladimir<br>
<br>
--<br>
Vladimir Dzhuvinov : <a href="http://www.NimbusDS.com" target="_blank">www.NimbusDS.com</a> :
<a href="mailto:vladimir@nimbusds.com" target="_blank">vladimir@nimbusds.com</a><br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></p>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></p>
</blockquote>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><u></u><u></u></p>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<u></u><u></u></p>
<div>
<p class="MsoNormal"><u></u> <u></u></p>
</div>
<p class="MsoNormal">-- <br>
Nat Sakimura (=nat)<u></u><u></u></p>
<div>
<p class="MsoNormal">Chairman, OpenID Foundation<br>
<a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>
@_nat_en<u></u><u></u></p>
</div>
</div>
</div>
</div></div></div>
</div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div>
</div>