Basic - 4 unclear wording for Userinfo endpoint - subject binding

Issue #83 resolved
jbufu
created an issue

The wording "subject of the Userinfo endpoint" doesn't make sense, not clear how OAuth 2 protected resource endpoints can have subjects.

Comments (4)

  1. Nat Sakimura

    Write that :

    Note: UserInfo response is not guaranteed to be about the Subject in the session. Therefore, it MUST NOT be used as an assertion about the user in the session unless the user_id matches the user_id in the ID Token.

  2. Log in to comment