[Openid-specs-ab] Question about which ID Token to send as id_token_hint

[Mike Jones]

Hi all.  A question has come from our development team about which ID Token to send as the id_token_hint value.  It would obviously be easy to hold onto the original ID Token received forever and keep using that in prompt=none requests.  The alternative is to use the newest ID Token received in an authentication response - such as the one received from the most recent prompt=none request.

What guidance should we give developers in this regard?

One argument I could see for using the most recent one is that the older the ID Token is, the more likely it is that the key used to sign it has been rotated out and may not be remembered by the server.  Other thoughts?

                                                            -- Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140905/e3fdfc53/attachment.html>