[Openid-specs-ab] Lite Draft 8

Johnny Bufu jbufu at janrain.com
Wed Aug 17 00:08:24 UTC 2011

On 11-08-16 04:44 PM, John Bradley wrote:
> Perhaps just not calling it out as opaque. We don't say that about the
> user-info access token, because it is assumed in OAuth.

Isn't there another relevant difference that would warrant calling it 
opaque for some parties but not for others?

The ID token will actually contain payload/information that can be 
extracted and understood by servers and full clients; the access token 
is just an identifier for a grant entry stored by the server.

> I am leaning towards describing it as the access token for the Check
> Session endpoint.

Is the check session endpoint the same as the introspection endpoint?

> I asked in another email if id_token is perhaps a bad name? Perhaps session?

I'm fine with either; not sure if the name led to confusion, or the lack 
of explanations.

If it can be used for anything else besides sending it to the check 
session endpoint, I'd prefer calling it id_token: it describes 
reasonably well what it is, as it contains the user_id field. Successful 
processing results in verified identification of the authenticated user.


More information about the Openid-specs-ab mailing list