[Openid-specs-ab] Differentiating the id_token requester from the token audience
John Bradley
ve7jtb at ve7jtb.com
Fri Mar 7 15:53:33 UTC 2014
At the moment how to request a id_token for a third party is unspecified. We wanted to document azp in the core specs for security reasons, to prevent clients from mistakenly accepting tokens with azp set when they are expecting them to come directly from the issuer.
There is work on this happening in the Native Applications WG (NAPPS) where the request mechanism may be standardized for interoperability. At the moment there are a number of custom things like overloading scopes that people are using.
John B.
On Jun 5, 2013, at 2:03 PM, Pedro Felix <pmhsfelix at gmail.com> wrote:
> The ID Token format has support to separate the token audience ("aud") from the authorized party ("azp").
>
> As an example, the Google API authorization uses this to differentiate between the mobile client requesting the id_token + code (the "azp") and the back-end server that will obtain the access_token and use the id claims (the "aud").
> Since there are now *two* client_id involved, the Google API adds the back-end server client_id to the authorization request scope parameter (e.g. scope="audience:server:client_id:some_client_id other_scope" [1]).
>
> However, I did not found any similar mechanism on the OpenID Connect specs. So, how can an authorization request define these two client_ids?
>
> Thanks
> Pedro
>
> [1] - https://developers.google.com/accounts/docs/CrossClientAuth
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140307/3b3d8546/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140307/3b3d8546/attachment.p7s>
More information about the Openid-specs-ab
mailing list