[Openid-specs-ab] Using ID token as JWT assertion grant
Vladimir Dzhuvinov
vladimir at connect2id.com
Mon Sep 28 13:24:56 UTC 2015
Hi Thomas,
On 28.09.2015 15:03, Thomas Broyer wrote:
> On Mon, Sep 28, 2015 at 1:16 PM Vladimir Dzhuvinov <vladimir at connect2id.com>
> wrote:
>
>> Hello,
>>
>> Is anyone using ID tokens as a JWT assertion grant to obtain access
>> tokens from an AS?
>>
> Google is at least using something very similar:
> https://developers.google.com/identity/protocols/OAuth2ServiceAccount
>
Thanks for the pointer. This is an example of a client-generated JWT grant.
>> How do you go about satisfying the requirement that the AS URL (or AS
>> token endpoint URL) must be present in the ID token audience (aud)? (The
>> ID token audience is typically set to the client app).
>>
> AIUI, the idea is that the JWT is generated *by* the client.
>
So in that case the ID token should be included as a claim in a JWT
generated by the client? The idea is to enable a client obtain an access
token on behalf of a logged in user by means of implicit consent, but
without having to go through a front-channel OAuth request.
Vladimir
--
Vladimir Dzhuvinov
More information about the Openid-specs-ab
mailing list