[Openid-specs-ab] Question about which ID Token to send as id_token_hint
John Bradley
ve7jtb at ve7jtb.com
Sat Sep 6 04:34:53 UTC 2014
The newest. It is signed so any should work as a hint even if they are expired, but fresher is better and the client shouldn't need to keep multiple id_tokens around.
Sent from my iPhone
> On Sep 5, 2014, at 11:46 PM, Mike Jones <Michael.Jones at microsoft.com> wrote:
>
> Hi all. A question has come from our development team about which ID Token to send as the id_token_hint value. It would obviously be easy to hold onto the original ID Token received forever and keep using that in prompt=none requests. The alternative is to use the newest ID Token received in an authentication response – such as the one received from the most recent prompt=none request.
>
> What guidance should we give developers in this regard?
>
> One argument I could see for using the most recent one is that the older the ID Token is, the more likely it is that the key used to sign it has been rotated out and may not be remembered by the server. Other thoughts?
>
> -- Mike
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140906/155d9149/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2734 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20140906/155d9149/attachment.p7s>
More information about the Openid-specs-ab
mailing list