While my personal preference is to not release PII as part of authentication, We do have people demanding attributes in SAML and Connect at LoA 2+ for identity resolution at the relying party. https://www.idmanagement.gov/sites/default/files/documents/FICAM_TFS_ATOS.pdf (see Appendix A)
JWT is used in much more than just OAuth these days. John B. On Oct 6, 2014, at 6:42 PM, Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote: >> >> but sometimes the very >> point of a JWT is to securely deliver PII from a verifiable party to >> an intended party with appropriate rights to receive it. > > Hmm. Its a moot point (so let's not argue it) but I wonder how > often PII is really needed for authorization with oauth. My guess > would be that its needed far less often than its found to be > profitable perhaps, or that carelessness plays a big role in > using PII for such purposes. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
