<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">We have discussed connect and the resource owner credentials flow.<div><br></div><div>I think the decision was to try and not preclude it but that it probably needs its own extension spec.</div><div><br></div><div>It is different in that many of the things that work through the front channel won't work.</div><div><br></div><div>It is really a type of assertion flow where the client is trading a set of credentials for an assertion & token. rather than a SSO flow.</div><div><br></div><div>I don't happen to like the resource owner credentials flow as it is not comparable with multi factor authentication etc.</div><div><br></div><div>I would be OK with changing this to say that connect only defines returning a id_token with the code grant, but other grant types may define the semantics returning a id_token if appropriate.</div><div><br></div><div>John B.</div><div><br></div><div><div><div>On 2012-12-29, at 6:30 AM, Torsten Lodderstedt <<a href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="content-type" content="text/html; charset=utf-8"><div dir="auto"><div>*** taking this discussion to the list again :-) ***</div><div><br></div><div>In my opinion, the id token represents an authentication event and it doesn't matter whether this event took place in a web browser or during a backend call.</div><div><br></div><div>Regards,</div><div>Torsten.<br><br>Am 29.12.2012 um 00:41 schrieb Brian Campbell <<a href="mailto:bcampbell@pingidentity.com">bcampbell@pingidentity.com</a>>:<br><br></div><blockquote type="cite"><div dir="ltr">So an ID Token is tied (as much as is possible) to a web session at which the end user is present, which is really only achieved though interaction with the authorization endpoint. I'm only guessing/assuming though. <br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Dec 28, 2012 at 3:08 PM, Torsten Lodderstedt <span dir="ltr"><<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>Why?<br><br>Am 28.12.2012 um 22:56 schrieb Brian Campbell <<a href="mailto:bcampbell@pingidentity.com" target="_blank">bcampbell@pingidentity.com</a>>:<br>
<br></div><div><div class="h5"><blockquote type="cite"><div dir="ltr">I'd always assumed that the intent was to preclude it?<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Dec 28, 2012 at 1:25 AM, Torsten Lodderstedt <span dir="ltr"><<a href="mailto:torsten@lodderstedt.net" target="_blank">torsten@lodderstedt.net</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><span style="background-color:rgba(255,255,255,0)">Hi,</span></div><div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div><div><span style="background-color:rgba(255,255,255,0)">I just noticed the following statement in messages:</span></div><span style="background-color:rgba(255,255,255,0)"><div><span style="background-color:rgba(255,255,255,0)"><br>
</span></div>"Note that <tt>id_token</tt> MUST NOT be returned if the <tt>grant_type</tt> is not <tt>authorization_code"</tt></span><div><span style="background-color:rgba(255,255,255,0)"><tt><br></tt></span></div>
<div><font face="monospace">What is the rational for this restriction? I remember discussions not to allow an exchange of refresh tokens for id tokens. That's ok. But I can imagine to provide clients with id tokens based on the password grant type. Do you want to preclude this?</font></div>
<div><font face="monospace"><br></font></div><div><font face="monospace">Regards,</font></div><div><font face="monospace">Torsten.</font></div><div><span style="background-color:rgba(255,255,255,0)"><tt><br>
</tt></span></div></div><br>_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
<br></blockquote></div><br></div>
</blockquote></div></div></div></blockquote></div><br></div>
</blockquote></div>_______________________________________________<br>Openid-specs-ab mailing list<br><a href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-specs-ab<br></blockquote></div><br></div></body></html>