[Openid-specs-ab] Lite Draft 8
Johnny Bufu
jbufu at janrain.com
Wed Aug 17 00:08:24 UTC 2011
On 11-08-16 04:44 PM, John Bradley wrote:
> Perhaps just not calling it out as opaque. We don't say that about the
> user-info access token, because it is assumed in OAuth.
Isn't there another relevant difference that would warrant calling it
opaque for some parties but not for others?
The ID token will actually contain payload/information that can be
extracted and understood by servers and full clients; the access token
is just an identifier for a grant entry stored by the server.
> I am leaning towards describing it as the access token for the Check
> Session endpoint.
Is the check session endpoint the same as the introspection endpoint?
> I asked in another email if id_token is perhaps a bad name? Perhaps session?
I'm fine with either; not sure if the name led to confusion, or the lack
of explanations.
If it can be used for anything else besides sending it to the check
session endpoint, I'd prefer calling it id_token: it describes
reasonably well what it is, as it contains the user_id field. Successful
processing results in verified identification of the authenticated user.
Johnny
More information about the Openid-specs-ab
mailing list