[Openid-specs-mobile-profile] Terminology question with the adition of Token Binding,

Engan, Michael Michael.Engan1 at T-Mobile.com
Thu Apr 19 16:46:17 UTC 2018


Good morning,

So a question. With the addition of Token binding a client has to use the JWT as their authorization header to access a resource. This is so that the Resource server can verify the Token binding defined in the jwt with the TLS tunnel the client is using. (or other non TLS key binding).

I have seen various specs conflict on this terminology now.

Should the Client Use the ID_Token as the Token to access resources?
OR
Should the IDP return a JWT as the Access token  (meaning a client now gets two JWT's, the Access token and the ID_Token)?



Michael Engan
Principal Systems Architect,
Authentication, Authorization, & API security
12920 SE 38th Street | Bellevue, WA 98006
Direct 425-383-2268 | Mobile 425-443-3463

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180419/7ddbc540/attachment-0001.html>


More information about the Openid-specs-mobile-profile mailing list