[Openid-specs-ab] JWT Access Token <> ID Token mixups

George Fletcher gffletch at aol.com
Mon Oct 2 14:28:17 UTC 2017 

In the cases you've run across... do they really use the id_token as an 
access_token? or rather as a bootstrap token into new refresh/access 
tokens? Given that in most cases id_tokens do not contain scopes it 
seems weird to use them as access tokens (the different between 
authentication and authorization).

Thanks,
George

On 10/2/17 3:02 AM, Dominick Baier via Openid-specs-ab wrote:
> We’ve come across a number of implementations that promote the use of 
> id_tokens as access tokens e.g. Microsoft Azure AD (B2C), Google and 
> Auth0.
>
> Every time we argue with e.g. Microsoft - they say “we did our own 
> threat modelling and its fine”. So maybe the spec should be very 
> explicit about why this is not allowed or when exactly this is OK or not.
>
> There is a long thread here:
> https://github.com/IdentityServer/IdentityServer3/issues/2015
>
>
> -------
> Dominick Baier
>
> On 29. September 2017 at 07:56:56, Filip Skokan via Openid-specs-ab 
> (openid-specs-ab at lists.openid.net 
> <mailto:openid-specs-ab at lists.openid.net>) wrote:
>
>> Hello everyone,
>>
>> I'm certain you've came across authorization servers issuing 
>> JWT-formatted Access Tokens by now. Most frequently these are 
>> following the JWT profile just like an ID Token does, opening up the 
>> possibility an Access Token is a perfect ID Token lookalike and can 
>> be used i.e. as id_token_hint.
>>
>>   * Is this a valid concern?
>>   * Shouldn't the JWT "typ" header parameter be used to strong type
>>     the ID Token (similar to SETs secevent+jwt)?
>>   * Any other way ID Tokens could have a unique required claims
>>     making it possible to differentiate between JWT Access Tokens and
>>     ID Tokens?
>>
>> If not part of the specs, should the OPs supporting JWT access tokens 
>> be at least recommended to push unique claims to their JWTs to be 
>> able to distinguish between the different JWT uses?
>>
>> Penny for your thoughts.
>>
>> Best Regards,
>> *Filip Skokan*
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net 
>> <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20171002/93eba964/attachment.html>

More information about the Openid-specs-ab mailing list