1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

Messages,Multi Response - Cope with bloating id_token_hint in self-issued cases

Issue #668 wontfix
Nat Sakimura created an issue

The idea of userinfo_token has been rejected in the past saying that claims can be introduced to id_token.

Including claims in id_token is fine as long as we do not send it as hint (id_token_hint). After having built an implementation, we now feel that it is a bit of pain not to have userinfo_token, especially, in the cases such that user's picture is included in the id_token claims, as the size becomes a performance issue.

One could argue that one should only include picture URL, but this defeats the purpose of self-issued OP as that picture url will act as a global identifier.

It seems in such cases, we may want to have userinfo_token so that the claims can be sent outside of id_token.

I would appreciate the WG to discuss this issue in the coming F2F.

Comments (1)

  1. Michael Jones

    The working group was strongly against creating a new response_type when discussed at the F2F at Google. Someone suggested asking for a second ID Token without extra claims in it as a workaround.

  2. Log in to comment
Assignee
Type
proposal
Priority
major
Status
wontfix
Component
Messages
Milestone
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!