[Openid-specs-ab] Introspection Profile for OpenID Connect
mike at gluu.org
mike at gluu.org
Fri Sep 13 16:18:54 UTC 2013
Justin,
Thanks for the reply.
I guess if there is always a 1:1 relationship between access tokens and
id tokens, that works. It is a little counter-intuitive, because an acr
is an attribute of the authn transaction, not a user claim. So it seemed
to make sense to publish the acr in the JWT returned via introspection
on an access token.
- Mike
On 2013-09-13 11:10, Justin Richer wrote:
> If you're talking about the ID Token (which I assume you are since
> you're talking about using "token1" to log in), then the "acr" value
> should be inside the ID token itself, which your app2 can parse.
>
> But why would the person pass the token to app2? Wouldn't app2 want
> to start its own session with the user? I don't think you want people
> to be able to sling ID tokens around between apps -- the 'aud' claim
> would be wrong and it would need to be rejected anyway.
>
> -- Justin
>
> On 09/13/2013 12:00 PM, mike at gluu.org wrote:
>> Here is another clarification...
>>
>> Lets say I have two apps:
>> 1. app1 - requires acr = http://gluu.org/authn/auth_level/1
>> 2. app2 - requires acr = http://gluu.org/authn/auth_level/2
>>
>> I want SSO between two apps:
>>
>> 1) A Person tries to login to app1 (auth_level=1) => got token1
>>
>> 2) Then the Person tries to login to app2 with token1 . So app2 needs
>> to introspect token1 to get auth_level to make sure it's 2 or higher.
>>
>> Is this just out of scope of OpenID Connect ? I thought the use of
>> acr was in Connect?
>>
>> thx,
>>
>> Mike
More information about the Openid-specs-ab
mailing list