[Openid-specs-ab] Id_tokens, sessions and offline_access
gffletch at aol.com
Mon Jun 20 21:23:25 UTC 2016
Got thinking about a use case today and realized I haven't heard any
recommendations regarding best practice. Here is the use case.
A website needs to request offline_access for a user when they log into
the web site so that the site can perform operations on the user's
behalf even when the user is not logged in.
If the website uses OpenID Connect, to authenticate the user and obtain
the authorization tokens, should the id_token be bound to the user's
"web authentication session" or not (since offline_access is requested).
The OpenID Connect core spec has the following text in section 184.108.40.206:
ID Token value associated with the authenticated session.
This could imply that the id_token MUST always be bound to the user's
authenticated session even in the case of a scope of 'offline_access'.
Also given that section 11 of the same spec does not mention id_tokens
when discussing the scope of 'offline_access' could imply that the
'offline_access' scope does NOT apply to id_tokens.
If the above interpretation is the consensus, then what is the best way
to "validate" an id_token to determine if the IdP "authenticated
session" is still valid?
More information about the Openid-specs-ab