[Openid-specs-ab] Session

[John Bradley]

To summarize, so that I have it strait.

So in the main flow you get a access token.

You use the access token to get the signed ID token from the get_id_token endpoint.

For 3 rd parties where they may not have access to the symmetric secret, or particularly lazy clients who don't want to support base64 decoding etc there is a check_id_token endpoint (direct) that returns a unsigned JWT.

There is a renew_id_token endpoint via redirect.

You say 
There’s no UI at this endpoint -- however, immediate mode can be used to suppress login page, which otherwise will be shown when user is not signed-in.


Perhaps the immediate mode reference is old?  From when we were talking about re-using the authorization endpoint.

In the JWT token we should also include a nonce to prevent replay types of attacks.   

Towards the end you indicate that the id_token may come directly from the token endpoint along with the access token. 

Which id_tokens are usable for session synchronization purposes and which are not? To keep things simple for clients, if the client obtains an id_token either by:

- Redeeming a code, always obtained via indirect communication through the browser;
- Supplying an access_token to the get_id_token endpoint where the access_token was obtained via indirect communication through the browser;

I am not against returning the ID_token from athe token endpoint directly, but I thought that you wanted it to be a separate call.

John B.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110413/bc66d07b/attachment.html>