Core - Should Userinfo include the issuer?

Comments (13)

1. 

   Michael Jones

   We return "sub" to give the client an internal integrity check. Returning "iss" wouldn't increase security because the OP can always lie. You already shouldn't rely upon the UserInfo response for authenticating the user. There doesn't appear to be a strong argument for returning it.

   • 2016-02-08T23:38:42+00:00
2. 

   Nat Sakimura reporter

   5.3.2. Successful UserInfo Response says:

   NOTE: Due to the possibility of token substitution attacks (see Section 16.11), the UserInfo Response is not guaranteed to be about the End-User identified by the sub (subject) element of the ID Token. The sub Claim in the UserInfo Response MUST be verified to exactly match the sub Claim in the ID Token; if they do not match, the UserInfo Response values MUST NOT be used.

   Need to make it more explicit? Like "can be used for attributes" ...

   • 2016-02-08T23:44:08+00:00
3. 

   Michael Jones

   • changed milestone to Ammendment

   • 2016-08-18T14:41:22+00:00
4. 

   Nat Sakimura reporter

   • edited description
   • changed component to Core

   • 2019-01-07T23:31:00+00:00
5. 

   Nat Sakimura reporter

   • changed status to open

   Perhaps writing security consideration text for "not using Userinfo response for authentication"

   • 2021-06-14T23:52:44+00:00
6. 

   Nat Sakimura reporter

   • assigned issue to
     
     Nat Sakimura

   • 2021-06-14T23:53:07+00:00
7. 

   Nat Sakimura reporter

   • changed milestone to Errata

   • 2021-06-14T23:53:29+00:00
8. 

   Michael Jones

   @Nat Sakimura - if you could supply the Security Considerations text you have in mind, that would be much appreciated.

   • 2023-07-21T00:01:58+00:00
9. 

   Michael Jones

   As discussed on the 31-Jul-23 call, Nat plans to propose text.

   • 2023-07-31T23:44:36+00:00
10. 

    Michael Jones

    Will be fixed by https://bitbucket.org/openid/connect/pull-requests/599

    • 2023-08-06T23:11:08+00:00
11. 

    Nat Sakimura reporter

    Thanks for the PR. There were two points I was trying to make:

    1. Thesub alone cannot be used as a user identifier. This seems obvious for us, but it may be worth mentioning.
    2. In the case of signed responses, would there be a requirement around the values of the iss of the JWS and what the sub was paired with?

    They are not currently captured.

    Also, since I have seen a case where ID Token was returned from the token endpoint in exchange for a refresh token recently, the following question came to my mind. It could be a different issue but:

    1. Is it worth mentioning that ID Token returned in response to the authentication request can be used for user authentication?

    WDYT?

    ‌

    • 2023-08-07T08:04:01+00:00
12. 

    Michael Jones

    We discussed this on the 7-Aug-23 call. Point 1 is already addressed. We’ll address point 2 by adding a statement that the “iss” for signed UserInfo responses must be the OP’s issuer.

    • 2023-08-07T23:18:07+00:00
13. 

    Michael Jones

    • changed status to resolved

    https://bitbucket.org/openid/connect/pull-requests/599 merged

    • 2023-08-13T20:23:32+00:00
14. Log in to comment