[Openid-specs-ab] Id_tokens, sessions and offline_access

George Fletcher gffletch at aol.com
Mon Jun 20 21:23:25 UTC 2016


Got thinking about a use case today and realized I haven't heard any 
recommendations regarding best practice. Here is the use case.

A website needs to request offline_access for a user when they log into 
the web site so that the site can perform operations on the user's 
behalf even when the user is not logged in.

If the website uses OpenID Connect, to authenticate the user and obtain 
the authorization tokens, should the id_token be bound to the user's 
"web authentication session" or not (since offline_access is requested). 
The OpenID Connect core spec has the following text in section

        ID Token value associated with the authenticated session. 

This could imply that the id_token MUST always be bound to the user's 
authenticated session even in the case of a scope of 'offline_access'. 
Also given that section 11 of the same spec does not mention id_tokens 
when discussing the scope of 'offline_access' could imply that the 
'offline_access' scope does NOT apply to id_tokens.

If the above interpretation is the consensus, then what is the best way 
to "validate" an id_token to determine if the IdP "authenticated 
session" is still valid?


More information about the Openid-specs-ab mailing list