JWT is more generic than OIDC. prn and user_id as used by OIDC are similar. user_id is already in wide use with Facebook's signed request. We were hoping that Facebook would be more likely to migrate from signed request to JWT if the parameter names stayed the same for developers.
In the generic case of a JWT the prn may not be a user. The other discussion that I recall around prn was a notion that they are fully qualified and globally unique. We wanted to be clear with user_id that it is scoped to the iss and not globally unique. So a prn was seen as a User Principal name and the user_id was seen as a persistent non reassignable identifier for the user in the context of the iss. John B. On 2012-11-24, at 3:47 PM, Torsten Lodderstedt <[email protected]> wrote: > Hi, > > I've got a few comments on your draft. > > I’m wondering why neither acr nor auth_time (which are used in OIDC) made > their way into this spec? > > What is the difference between prn and the user_id claim OIDC uses? > > regards, > Torsten. > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
