<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>*** taking this discussion to the list again :-) ***</div><div><br></div><div>In my opinion, the id token represents an authentication event and it doesn't matter whether this event took place in a web browser or during a backend call.</div><div><br></div><div>Regards,</div><div>Torsten.<br><br>Am 29.12.2012 um 00:41 schrieb Brian Campbell <<a href="mailto:bcampbell@pingidentity.com">bcampbell@pingidentity.com</a>>:<br><br></div><blockquote type="cite"><div><div dir="ltr">So an ID Token is tied (as much as is possible) to a web session at which the end user is present, which is really only achieved though interaction with the authorization endpoint. I'm only guessing/assuming though. <br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Dec 28, 2012 at 3:08 PM, Torsten Lodderstedt <span dir="ltr"><<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>Why?<br><br>Am 28.12.2012 um 22:56 schrieb Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a>>:<br>
<br></div><div><div class="h5"><blockquote type="cite"><div><div dir="ltr">I'd always assumed that the intent was to preclude it?<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Dec 28, 2012 at 1:25 AM, Torsten Lodderstedt <span dir="ltr"><<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><span style="background-color:rgba(255,255,255,0)">Hi,</span></div><div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div><div><span style="background-color:rgba(255,255,255,0)">I just noticed the following statement in messages:</span></div><span style="background-color:rgba(255,255,255,0)"><div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>"Note that <tt>id_token</tt> MUST NOT be returned if the <tt>grant_type</tt> is not <tt>authorization_code"</tt></span><div><span style="background-color:rgba(255,255,255,0)"><tt><br></tt></span></div>
<div><font face="monospace"><span>What is the rational for this restriction? I remember discussions not to allow an exchange of refresh tokens for id tokens. That's ok. But I can imagine to provide clients with id tokens based on the password grant type. Do you want to preclude this?</span></font></div>
<div><font face="monospace"><span><br></span></font></div><div><font face="monospace"><span>Regards,</span></font></div><div><font face="monospace"><span>Torsten.</span></font></div><div><span style="background-color:rgba(255,255,255,0)"><tt><br>
</tt></span></div></div><br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br></div>
</div></blockquote></div></div></div></blockquote></div><br></div>
</div></blockquote></body></html>