[Openid-specs-ab] JWT Access Token <> ID Token mixups
Dominick Baier
dbaier at leastprivilege.com
Mon Oct 2 07:02:41 UTC 2017
We’ve come across a number of implementations that promote the use of
id_tokens as access tokens e.g. Microsoft Azure AD (B2C), Google and Auth0.
Every time we argue with e.g. Microsoft - they say “we did our own threat
modelling and its fine”. So maybe the spec should be very explicit about
why this is not allowed or when exactly this is OK or not.
There is a long thread here:
https://github.com/IdentityServer/IdentityServer3/issues/2015
-------
Dominick Baier
On 29. September 2017 at 07:56:56, Filip Skokan via Openid-specs-ab (
openid-specs-ab at lists.openid.net) wrote:
Hello everyone,
I'm certain you've came across authorization servers issuing JWT-formatted
Access Tokens by now. Most frequently these are following the JWT profile
just like an ID Token does, opening up the possibility an Access Token is a
perfect ID Token lookalike and can be used i.e. as id_token_hint.
- Is this a valid concern?
- Shouldn't the JWT "typ" header parameter be used to strong type the ID
Token (similar to SETs secevent+jwt)?
- Any other way ID Tokens could have a unique required claims making it
possible to differentiate between JWT Access Tokens and ID Tokens?
If not part of the specs, should the OPs supporting JWT access tokens be at
least recommended to push unique claims to their JWTs to be able to
distinguish between the different JWT uses?
Penny for your thoughts.
Best Regards,
*Filip Skokan*
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20171002/3173dff3/attachment.html>
More information about the Openid-specs-ab
mailing list