[Openid-specs-ab] Lite Draft 9

Allen Tom allentomdude at gmail.com
Mon Aug 22 20:00:09 UTC 2011

Hi Breno -

I don't have much first hand experience with FB's signed_request, but my
understanding is allows FB to return a signed response to an app, so that
the app knows that it came from FB.


The docs don't say that there are two Access Tokens, instead the Access
Token is a signed parameter contained within the signed_request.

My concern regarding the id_token and the CheckSession API is that it could
be confusing to tell developers that the id_token is an Access Token, but
only for the CheckSession API. All other endpoints use the regular Access


On Mon, Aug 22, 2011 at 12:31 PM, Breno de Medeiros <breno at google.com>wrote:

> On Mon, Aug 22, 2011 at 12:05, Allen Tom <allentomdude at gmail.com> wrote:
> > I think it might be confusing to developers to have multiple access
> tokens.
> > I don't think I've seen any other Connect/OAuth type implementations that
> > return multiple access tokens. Are there any examples out there?
> Yes. Facebook Connect uses signed_request as the id_token.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110822/12a58f1c/attachment.html>

More information about the Openid-specs-ab mailing list