[mitreid-connect] OpenID Token
Justin Richer
jricher at mit.edu
Thu Nov 6 14:34:46 EST 2014
That’s correct, MITREid Connect only puts authentication session related information into the ID token - sub, auth_time, iss, etc. OIDC does define a way to request claims in the ID token, but we don’t currently support returning the claims there. We’ve got an issue tracking this feature for a future release:
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/473
This feature doesn’t have a specific date or release targeted. If you override the ConnectTokenServices bean in your overlay/implementation you can change this behavior directly.
Part of the reasoning behind the split is that the ID Token is sent in every authentication transaction, but the profile claims need to be fetched only once in a while, after which they can be cached.
— Justin
On Nov 6, 2014, at 12:38 AM, Yannick Béot <yannick.beot at gmail.com> wrote:
> Hi,
>
> To my understanding, in MITREid connect's implementation, openid does not contain any claims on the subject except "sub".
> So the client application has to query the userinfo to get some basic info such as firstname, lastname, etc.
>
> JWT allows to be extended and therefore should be able to contain profile's information.
>
> I guess we want the idtoken super light, but to have this additionnal round trip to query the userinfo add delay and complexity. For instance, in an implicit flow, would not we have to put in place CORS because of this userinfo?
>
> Should not MITREid connect allow to extend the idtoken?
> What do you think?
>
> Best regards,
>
> Yannick Beot
>
>
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20141106/422cf68e/attachment.bin
More information about the mitreid-connect
mailing list