Unless my memory is failing me, in the Google case it was really /userinfo (as i... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		lvh on July 24, 2019 \| parent \| context \| favorite \| on: How not to sign a JSON object Unless my memory is failing me, in the Google case it was really /userinfo (as in the OIDC Core UserInfo endpoint) and not token introspection (a "post-auth" endpoint taking a token, not a "pre-auth" one you pass a JWT to). Though I agree that from the perspective of a consumer the two are basically just as good :-)

hirsin on July 25, 2019 [–]

I would think a "Pre-auth" endpoint that can be called for user information is not what consumers want...

lvh on July 25, 2019 | [–]

I mean pre-auth in that you pass it a JWT with a shared credential that it parses for you, as opposed to an explicit auth'd credential.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact