[Openid-specs-ab] Id token at token endpoint
Torsten Lodderstedt
torsten at lodderstedt.net
Sat Dec 29 09:30:08 UTC 2012
*** taking this discussion to the list again :-) ***
In my opinion, the id token represents an authentication event and it doesn't matter whether this event took place in a web browser or during a backend call.
Regards,
Torsten.
Am 29.12.2012 um 00:41 schrieb Brian Campbell <bcampbell at pingidentity.com>:
> So an ID Token is tied (as much as is possible) to a web session at which the end user is present, which is really only achieved though interaction with the authorization endpoint. I'm only guessing/assuming though.
>
>
> On Fri, Dec 28, 2012 at 3:08 PM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>> Why?
>>
>> Am 28.12.2012 um 22:56 schrieb Brian Campbell <bcampbell at pingidentity.com>:
>>
>>> I'd always assumed that the intent was to preclude it?
>>>
>>>
>>> On Fri, Dec 28, 2012 at 1:25 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>>>> Hi,
>>>>
>>>> I just noticed the following statement in messages:
>>>>
>>>> "Note that id_token MUST NOT be returned if the grant_type is not authorization_code"
>>>>
>>>> What is the rational for this restriction? I remember discussions not to allow an exchange of refresh tokens for id tokens. That's ok. But I can imagine to provide clients with id tokens based on the password grant type. Do you want to preclude this?
>>>>
>>>> Regards,
>>>> Torsten.
>>>>
>>>>
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121229/03ae2bf3/attachment.html>
More information about the Openid-specs-ab
mailing list