[OpenID] implicit and id_token
Nat Sakimura
sakimura at gmail.com
Tue Jun 9 02:26:08 UTC 2015
Indeed, id_token works as a detached signature over a blob including but
not limited to an access token by design. As you point out, this capability
can be quite interesting in various ways.
2015年5月28日木曜日、Peter Williams<home_pw at msn.com>さんは書きました:
> one thing I'm finding interesting is the world in which .js apps not only
> obtain control over the an id_token blob (via openid connect handshakes
> using the implicit flow) but use it (vs an access token) to talk to one or
> more API endpoints.
>
> Its interesting because of semantic differences - differences from the
> classical oauth2 world of access tokens, of course. Certs are
> audience-free, of course (being intended for use by anyone, in a process of
> relying on digital signatures). Both Audience-free and audience-controlled
> id_tokens are now interesting. The combination of the audience-free cert
> (shared with an API endpoint using SSL client authn) and the
> audience-free/controlled id_token, is also very interesting combination -
> particularly when the cert is self-signed.
>
> One can see a world in which consumers post the (self-signed) cert and the
> id_token to a discovery-site ...that allows others to discover the asserted
> binding between the cert and the id_token, facilitating lots more digital
> signature uptake. One sees how the id_token might be "signing" that
> document (if you recall how in ws-* land, tokens could "sign" (XML)
> messages).
>
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20150609/515d30cc/attachment.html>
More information about the general
mailing list