[Openid-specs-ab] More the one token

Roland Hedberg roland.hedberg at umu.se
Thu Feb 12 09:38:12 UTC 2015


Encountered this the other day.

If the RP does an authentication request with response_type=”code token” it can potentially end up with two
tokens. One T(1) which it got directly in the authentication response and the other T(2) which it got by
using the code at the token endpoint.

The standard is not very explicit on the relationship between T(1) and T(2).
They are obviously issued by the same OP based on the same authentication event but there the likeness may end.

So for instance I may get different results if I use T(1) or T(2) at the userinfo endpoint.

My implementation allows T(1) and T(2) to be active at the same time, they live independent lives.
I wonder if that is common ?

- Roland

"It is the consequence of humanity. We are all formed of frailty and error; let us pardon reciprocally each others’ folly - that is the first law of nature.” - Voltaire

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20150212/7ed2c80f/attachment.asc>

More information about the Openid-specs-ab mailing list