Messages - 2.1.2 Why no user_id in the possible request param?
Issue #439
resolved
If there is no user_id in the request, 2.1.4 Authz Error response "user_mismatched" does not make sense.
Thus, user_id should be one of the possible request param.
{{{ user_id An identifier assigned by the Server to identify the end user at this client. }}}
Comments (3)
-
-
-
assigned issue to
This could be added, but should be restricted in scope to restrict the query to a specific user. We SHOULD NOT define anything about requesting things for users other than the End-User.
-
assigned issue to
-
- changed status to resolved
Fixes
#439Sec 2.1.2.1.2 Added user_id claim and moved iso29115 to claims element of id_token member - Log in to comment
I think that was from session management.
I agree that at this point user mismatch without the ability to request a user is unlikely.
Passing the user in the request object is a possibility.
I don't think it is worth adding it to the simple directed flow.