A user_id is scoped to a iss. There is some notion that a prn is globally unique, though the JWT spec is not clear on that. I think people are thinking of it like a UPN in LDAP/AD.
John B. On 2012-11-26, at 3:46 PM, Torsten Lodderstedt <[email protected]> wrote: > Hi John > > thanks for the explanatian. Just to make sure I got you right. A prn can be a > user_id. A prn is bound to the scope of an iss. > > Regards, > Torsten. > > > > John Bradley <[email protected]> schrieb: > JWT is more generic than OIDC. > > prn and user_id as used by OIDC are similar. user_id is already in wide use > with Facebook's signed request. > We were hoping that Facebook would be more likely to migrate from signed > request to JWT if the parameter names stayed the same for developers. > > In the generic case of a JWT the prn may not be a user. > > The other discussion that I recall around prn was a notion that they are > fully qualified and globally unique. > > We wanted to be clear with user_id that it is scoped to the iss and not > globally unique. > > So a prn was seen as a User Principal name and the user_id was seen as a > persistent non reassignable identifier for the user in the context of the iss. > > John B. > > > On 2012-11-24, at 3:47 PM, Torsten Lodderstedt <[email protected]> > wrote: > > Hi, > > I've got a few comments on your draft. > > I’m wondering why neither acr nor auth_time (which are used in OIDC) made > their way into this spec? > > What is the difference between prn and the user_id claim OIDC uses? > > regards, > Torsten. > >
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
