[Openid-specs-ab] Lite Draft 9
Breno de Medeiros
breno at google.com
Thu Aug 25 20:09:38 UTC 2011
On Thu, Aug 25, 2011 at 12:55, Allen Tom <allentomdude at gmail.com> wrote:
> My understanding of FB's implementation is that their equivalent of the
> id_token actually contains the access_token, rather than a hash of the
> access_token or code.
> Is the FB signed_request the equivalent of the id_token?
No, they only use signed_request in the code flow, and it includes a code.
Unlike the access_token, the code cannot be used without a client secret.
> 2011/8/25 John Bradley <ve7jtb at ve7jtb.com>
>> Facebook is currently doing something like this with there signed request
>> tokens where they are including code in the token, or a hash of the access
>> Facebook's implementation is not completely based on OAuth 2 draft 10.
>> It is a bit hard to figure it out from the documentation.
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
More information about the Openid-specs-ab