[Openid-specs-mobile-profile] Terminology question with the adition of Token Binding,
Michael.Engan1 at T-Mobile.com
Thu Apr 19 16:46:17 UTC 2018
So a question. With the addition of Token binding a client has to use the JWT as their authorization header to access a resource. This is so that the Resource server can verify the Token binding defined in the jwt with the TLS tunnel the client is using. (or other non TLS key binding).
I have seen various specs conflict on this terminology now.
Should the Client Use the ID_Token as the Token to access resources?
Should the IDP return a JWT as the Access token (meaning a client now gets two JWT's, the Access token and the ID_Token)?
Principal Systems Architect,
Authentication, Authorization, & API security
12920 SE 38th Street | Bellevue, WA 98006
Direct 425-383-2268 | Mobile 425-443-3463
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-mobile-profile