Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Eh? Got additional details on which OIDC providers aren't using a proper userinfo + AT? Not that that shouldn't include TLS...

We don't do token introspection (basically what you're referring to) and instead use JWT/JWE(soon) to reduce round trips for the RP.

Could you expand on the OIDC issue with cryptographic domain separation? Not sure I fully understand what benefits you're looking for there.



Re: OIDC providers: to be clear, you absolutely can just parse the JWT. I'm saying that (up until recently, if memory serves) e.g. the GSuite documentation told you that while you can validate a token, that's hard, and instead you can just hit this HTTPS API and we'll tell you what's in it.

(They seem to have flipped that in the last, I dunno, 3 months or so?)


Ah, gotcha. That sounds like token introspection basically, which is a (budding?) standard, not really userinfo.


Unless my memory is failing me, in the Google case it was really /userinfo (as in the OIDC Core UserInfo endpoint) and not token introspection (a "post-auth" endpoint taking a token, not a "pre-auth" one you pass a JWT to). Though I agree that from the perspective of a consumer the two are basically just as good :-)


I would think a "Pre-auth" endpoint that can be called for user information is not what consumers want...


I mean pre-auth in that you pass it a JWT with a shared credential that it parses for you, as opposed to an explicit auth'd credential.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: