[Openid-specs-ab] Lite Draft 9

Breno de Medeiros breno at google.com
Thu Aug 25 20:09:38 UTC 2011

On Thu, Aug 25, 2011 at 12:55, Allen Tom <allentomdude at gmail.com> wrote:
> My understanding of FB's implementation is that their equivalent of the
> id_token actually contains the access_token, rather than a hash of the
> access_token or code.
> Is the FB signed_request the equivalent of the id_token?

No, they only use signed_request in the code flow, and it includes a code.

Unlike the access_token, the code cannot be used without a client secret.

> https://developers.facebook.com/docs/authentication/signed_request/
> Allen
> 2011/8/25 John Bradley <ve7jtb at ve7jtb.com>
>> Facebook is currently doing something like this with there signed request
>> tokens where they are including code in the token, or a hash of the access
>> token.
>> Facebook's implementation is not completely based on OAuth 2 draft 10.
>> It is a bit hard to figure it out from the documentation.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list