[Openid-specs-ab] More the one token

[John Bradley]

Yes they are independent access tokens.  The one returned in the response from authorization endpoint is for a client in the browser and the one from the token_endpoint is for a backend server that has client credentials.   The one for the confidential part of the client might have more permissions and or a longer life. 

John B. 

Sent from my iPhone

> On Feb 12, 2015, at 6:38 AM, Roland Hedberg <roland.hedberg at umu.se> wrote:
> 
> Hi!
> 
> Encountered this the other day.
> 
> If the RP does an authentication request with response_type=”code token” it can potentially end up with two
> tokens. One T(1) which it got directly in the authentication response and the other T(2) which it got by
> using the code at the token endpoint.
> 
> The standard is not very explicit on the relationship between T(1) and T(2).
> They are obviously issued by the same OP based on the same authentication event but there the likeness may end.
> 
> So for instance I may get different results if I use T(1) or T(2) at the userinfo endpoint.
> 
> My implementation allows T(1) and T(2) to be active at the same time, they live independent lives.
> I wonder if that is common ?
> 
> - Roland
> 
> "It is the consequence of humanity. We are all formed of frailty and error; let us pardon reciprocally each others’ folly - that is the first law of nature.” - Voltaire
> 
> 
> 
> 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab