[Openid-specs-ab] JWT Access Token <> ID Token mixups

Mon Oct 2 14:31:29 UTC 2017

Original question was purely concerned about the OPs accepting a JWT
formatted access tokens in places where ID Token is expected, e.g.
id_token_hint for authorization or logout request.

Is that something to be concerned about?

Best,
*Filip Skokan*

On Mon, Oct 2, 2017 at 4:28 PM, George Fletcher <gffletch at aol.com> wrote:

> In the cases you've run across... do they really use the id_token as an
> access_token? or rather as a bootstrap token into new refresh/access
> tokens? Given that in most cases id_tokens do not contain scopes it seems
> weird to use them as access tokens (the different between authentication
> and authorization).
>
> Thanks,
> George
>
>
> On 10/2/17 3:02 AM, Dominick Baier via Openid-specs-ab wrote:
>
> We’ve come across a number of implementations that promote the use of
> id_tokens as access tokens e.g. Microsoft Azure AD (B2C), Google and Auth0.
>
> Every time we argue with e.g. Microsoft - they say “we did our own threat
> modelling and its fine”. So maybe the spec should be very explicit about
> why this is not allowed or when exactly this is OK or not.
>
> There is a long thread here:
> https://github.com/IdentityServer/IdentityServer3/issues/2015
>
>
> -------
> Dominick Baier
>
> On 29. September 2017 at 07:56:56, Filip Skokan via Openid-specs-ab (
> openid-specs-ab at lists.openid.net) wrote:
>
> Hello everyone,
>
> I'm certain you've came across authorization servers issuing JWT-formatted
> Access Tokens by now. Most frequently these are following the JWT profile
> just like an ID Token does, opening up the possibility an Access Token is a
> perfect ID Token lookalike and can be used i.e. as id_token_hint.
>
>    - Is this a valid concern?
>    - Shouldn't the JWT "typ" header parameter be used to strong type the
>    ID Token (similar to SETs secevent+jwt)?
>    - Any other way ID Tokens could have a unique required claims making
>    it possible to differentiate between JWT Access Tokens and ID Tokens?
>
> If not part of the specs, should the OPs supporting JWT access tokens be
> at least recommended to push unique claims to their JWTs to be able to
> distinguish between the different JWT uses?
>
> Penny for your thoughts.
>
> Best Regards,
> *Filip Skokan*
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20171002/ab9609ba/attachment.html>