1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Basic and maybe Messages and Standard - Several problems with statement about UserInfo response not guaranteed to be about the Subject in the session

Issue #310 resolved
Michael Jones created an issue

First, the term Subject is not defined, and yet it is used in the following statement:

NOTE: The UserInfo Endpoint response is not guaranteed to be about the Subject in the session. Therefore, it MUST NOT be used as an assertion about the user in the session unless the user_id matches the user_id in the ID Token.

It would be better to place normative requirements on implementations to compare the user_id values in the UserInfo endpoint response and the ID Token than to just give a warning.

Second, if this statement/requirement needs to be in Basic, is should be in Messages and/or Standard as well.

Comments (7)

  4. John Bradley

    re #310 add requirement to compare user_id from user info endpoint to id_token re #310 user info example to include user_id fix language about user info response format, add media type.

    55bdda096af0

  5. John Bradley

    re #310 add requirement to compare user_id from user info endpoint to id_token re #310 user info example to include user_id fix language about user info response format, add media type.

    55bdda096af0

  8. Log in to comment
Assignee
Type
bug
Priority
critical
Status
resolved
Component
Milestone
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!