[Openid-specs-ab] Differentiating the id_token requester from the token audience

Pedro Felix pmhsfelix at gmail.com
Wed Jun 5 13:03:21 UTC 2013

The ID Token format has support to separate the token audience ("aud") from
the authorized party ("azp").

As an example, the Google API authorization uses this to differentiate
between the mobile client requesting the id_token + code (the "azp") and
the back-end server that will obtain the access_token and use the id claims
(the "aud").
Since there are now *two* client_id involved, the Google API adds the
back-end server client_id to the authorization request scope parameter
(e.g. scope="audience:server:client_id:some_client_id other_scope" [1]).

However, I did not found any similar mechanism on the OpenID Connect specs.
So, how can an authorization request define these two client_ids?


[1] - https://developers.google.com/accounts/docs/CrossClientAuth<https://developers.google.com/accounts/docs/CrossClientAuth#offlineAccess>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130605/5a761fec/attachment.html>

More information about the Openid-specs-ab mailing list