[Openid-specs-ab] Lite Draft 8
jbufu at janrain.com
Tue Aug 16 23:32:44 UTC 2011
On 11-08-16 12:55 PM, Allen Tom wrote:
> Based on my feedback, and also from what I read from George and Johnny,
> it sounds like the id_token should either be removed from the Lite spec
> (is it really required for a Lite implementation? It appears to be an
It was explained on the call yesterday that the ID token identifies the
information captured by the server about a given authentication event.
It is session-based, expires as soon as the user logs out of their IdP
(or maybe sooner?). Lite clients can retrieve the data associated with
it from the introspection endpoint. Full clients can verify the
signature and extract authentication data from it themselves.
In other words, the ID token is the identifier for the "authenticated"
attribute of a user.
The OAuth2 access token is longer lived and can be used by the client to
retrieve user profile data (or claims/attributes) without the user being
present from the userinfo endpoint.
> or perhaps if it needs to stay in the spec, then it should
> be definitely better documented.
+1, I raised the same issue on the call yesterday, John said he would
add explanations for the ID token.
> The id_token definition in Section 2 says that it's opaque in the Lite
> profile, which at least to me, means that implementors can ignore it.
To me it means that a lite client doesn't have to understand its
contents, parse or extract data from it. Just store, compare or pass it
along as required by the protocol.
I still think that the term "opaque" should be targeted at one or more
parties that handle the token, not at a document.
More information about the Openid-specs-ab