-
assigned issue to
- changed status to open
Basic and maybe Messages and Standard - Several problems with statement about UserInfo response not guaranteed to be about the Subject in the session
Issue #310
resolved
First, the term Subject is not defined, and yet it is used in the following statement:
NOTE: The UserInfo Endpoint response is not guaranteed to be about the Subject in the session. Therefore, it MUST NOT be used as an assertion about the user in the session unless the user_id matches the user_id in the ID Token.
It would be better to place normative requirements on implementations to compare the user_id values in the UserInfo endpoint response and the ID Token than to just give a warning.
Second, if this statement/requirement needs to be in Basic, is should be in Messages and/or Standard as well.
Comments (7)
-
-
re
#310remove language about subject -
re
#310user info example to include user_id fix language about user info response format, add media type. -
-
-
- changed status to resolved
-
- Log in to comment
Implicit flow needs it also in Standard.