[Openid-specs-ab] Using ID token as JWT assertion grant
vladimir at connect2id.com
Mon Sep 28 13:24:56 UTC 2015
On 28.09.2015 15:03, Thomas Broyer wrote:
> On Mon, Sep 28, 2015 at 1:16 PM Vladimir Dzhuvinov <vladimir at connect2id.com>
>> Is anyone using ID tokens as a JWT assertion grant to obtain access
>> tokens from an AS?
> Google is at least using something very similar:
Thanks for the pointer. This is an example of a client-generated JWT grant.
>> How do you go about satisfying the requirement that the AS URL (or AS
>> token endpoint URL) must be present in the ID token audience (aud)? (The
>> ID token audience is typically set to the client app).
> AIUI, the idea is that the JWT is generated *by* the client.
So in that case the ID token should be included as a claim in a JWT
generated by the client? The idea is to enable a client obtain an access
token on behalf of a logged in user by means of implicit consent, but
without having to go through a front-channel OAuth request.
More information about the Openid-specs-ab