[Openid-specs-mobile-profile] Terminology question with the adition of Token Binding,

Hjelm, Bjorn Bjorn.Hjelm at VerizonWireless.com
Fri Apr 20 13:28:40 UTC 2018

For the benefit of the various participants in the working group, could you give some examples to highlight the conflicts?


From: Openid-specs-mobile-profile [mailto:openid-specs-mobile-profile-bounces at lists.openid.net] On Behalf Of Engan, Michael
Sent: Thursday, April 19, 2018 9:46 AM
To: openid-specs-mobile-profile at lists.openid.net
Subject: [E] [Openid-specs-mobile-profile] Terminology question with the adition of Token Binding,

Good morning,

So a question. With the addition of Token binding a client has to use the JWT as their authorization header to access a resource. This is so that the Resource server can verify the Token binding defined in the jwt with the TLS tunnel the client is using. (or other non TLS key binding).

I have seen various specs conflict on this terminology now.

Should the Client Use the ID_Token as the Token to access resources?
Should the IDP return a JWT as the Access token  (meaning a client now gets two JWT's, the Access token and the ID_Token)?

Michael Engan
Principal Systems Architect,
Authentication, Authorization, & API security
12920 SE 38th Street | Bellevue, WA 98006
Direct 425-383-2268 | Mobile 425-443-3463

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-mobile-profile/attachments/20180420/72e81294/attachment.html>

More information about the Openid-specs-mobile-profile mailing list