Basic - 4 unclear wording for Userinfo endpoint - subject binding
Issue #83
resolved
The wording "subject of the Userinfo endpoint" doesn't make sense, not clear how OAuth 2 protected resource endpoints can have subjects.
Comments (4)
-
-
-
assigned issue to
-
assigned issue to
-
Write that :
Note: UserInfo response is not guaranteed to be about the Subject in the session. Therefore, it MUST NOT be used as an assertion about the user in the session unless the user_id matches the user_id in the ID Token.
-
- changed status to resolved
fixes
#83 - Log in to comment
Section 4 of Basic looks euphemistic. Referring to Bear Token may be simpler and clearer.