[Openid-specs-ab] Lite Draft 9
Allen Tom
allentomdude at gmail.com
Mon Aug 22 20:00:09 UTC 2011
Hi Breno -
I don't have much first hand experience with FB's signed_request, but my
understanding is allows FB to return a signed response to an app, so that
the app knows that it came from FB.
https://developers.facebook.com/docs/authentication/signed_request/
The docs don't say that there are two Access Tokens, instead the Access
Token is a signed parameter contained within the signed_request.
My concern regarding the id_token and the CheckSession API is that it could
be confusing to tell developers that the id_token is an Access Token, but
only for the CheckSession API. All other endpoints use the regular Access
Token.
Allen
On Mon, Aug 22, 2011 at 12:31 PM, Breno de Medeiros <breno at google.com>wrote:
> On Mon, Aug 22, 2011 at 12:05, Allen Tom <allentomdude at gmail.com> wrote:
> > I think it might be confusing to developers to have multiple access
> tokens.
> > I don't think I've seen any other Connect/OAuth type implementations that
> > return multiple access tokens. Are there any examples out there?
>
> Yes. Facebook Connect uses signed_request as the id_token.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110822/12a58f1c/attachment.html>
More information about the Openid-specs-ab
mailing list