Hi John,
does it make sense to change the spec as follows:
- specify the prn claim as being globally unqiue
- add user_id as scoped by iss claim
What do you think?
regards,
Torsten.
Am 26.11.2012 19:51, schrieb John Bradley:
A user_id is scoped to a iss.
There is some notion that a prn is globally unique, though the JWT
spec is not clear on that. I think people are thinking of it like a
UPN in LDAP/AD.
John B.
On 2012-11-26, at 3:46 PM, Torsten Lodderstedt
<[email protected] <mailto:[email protected]>> wrote:
Hi John
thanks for the explanatian. Just to make sure I got you right. A prn
can be a user_id. A prn is bound to the scope of an iss.
Regards,
Torsten.
John Bradley <[email protected] <mailto:[email protected]>> schrieb:
JWT is more generic than OIDC.
prn and user_id as used by OIDC are similar. user_id is already in wide
use with Facebook's signed request.
We were hoping that Facebook would be more likely to migrate from signed
request to JWT if the parameter names stayed the same for developers.
In the generic case of a JWT the prn may not be a user.
The other discussion that I recall around prn was a notion that they are
fully qualified and globally unique.
We wanted to be clear with user_id that it is scoped to the iss and not
globally unique.
So a prn was seen as a User Principal name and the user_id was seen as a
persistent non reassignable identifier for the user in the context of the iss.
John B.
On 2012-11-24, at 3:47 PM, Torsten Lodderstedt <[email protected]
<mailto:[email protected]>> wrote:
Hi, I've got a few comments on your draft. I’m wondering why
neither acr nor auth_time (which are used in OIDC) made their
way into this spec? What is the difference between prn and
the user_id claim OIDC uses? regards, Torsten.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
