[Openid-specs-fapi] FAPI Profile and openid scope value
Torsten Lodderstedt
torsten at lodderstedt.net
Wed Aug 1 09:07:30 UTC 2018
Hi Dave,
> Am 01.08.2018 um 06:44 schrieb Dave Tonge <dave.tonge at momentumft.co.uk>:
>
> I don't think it would make sense for a client to sometimes request a response type of `signed_code` and sometimes request a response type of `code id_token`, as Nat says that seems to be conflating things.
I agree.
What about always using the new response type?
For API access authorization, the client would request
GET /authorise?responseType=signed_code&
client_id=s6BhdRkqt3&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&
scope=pis:f0bbf1fd-2857-4e1b-a403-9fd1dc171183&
state= S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw&
nonce=n-0S6_WzA2Mj HTTP/1.1
Host: accounts.example-bank.com
whereas for identity federation it would just request with another scope value
GET /authorise?responseType=signed_code&
client_id=s6BhdRkqt3&
redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&
scope=openid%20email%20profile&
state= S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw&
nonce=n-0S6_WzA2Mj HTTP/1.1
Host: accounts.example-bank.com <http://accounts.example-bank.com/>
In the latter example, the client would obtain the ID Token from the token endpoint using the authorization code.
Kind regards,
Torsten.
PS: I created a tracker issue for my proposal.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180801/66977f86/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3872 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180801/66977f86/attachment.p7s>
More information about the Openid-specs-fapi
mailing list