[Openid-specs-ab] Spec call notes 08-Aug-11
Johnny Bufu
jbufu at janrain.com
Wed Aug 10 18:26:29 UTC 2011
On 11-08-10 11:09 AM, John Bradley wrote:
> There is additional session related information in the id_token.
> It is only opaque ti the lite spec.
Not sure I understand this. If it's the same term referring to the same
entity, it should have the same definition everywhere. Opaque vs
transparent should be in relation to the party that is examining it, not
the document it is defined in.
> A Full client just needs to check the signature and not use the
> introspection endpoint at all. This is the same thing Facebook is
> doing with signed request, we have just added a way for a client
> that docent understand crypto to validate the token.
If there are such significant differences between a lite(?) client and a
full client to the extent that they are the reasons that two separate
specs exist, then these terms / parties and their roles should be
clearly defined in their respective documents.
> Why not use the id_token both places.
[...]
> I guess the simple answer is that there may be different info in the
> two tokens.
The non-opaque ID token format has to be specified then, but I haven't
seen this anywhere. Have I missed something essential?
Johnny
More information about the Openid-specs-ab
mailing list