[Openid-specs-ab] JWT Access Token <> ID Token mixups
Brock Allen
brockallen at gmail.com
Mon Oct 2 14:32:03 UTC 2017
> Given that in most cases id_tokens do not contain scopes it seems weird to use them as access tokens (the different between authentication and authorization).
Agreed, but some token servers out there don't use/understand scopes as per how RFC6749 is worded (at least according to my reading).
I think they were using the aud in the id_token to substitute for scope, with the assumption that the client and the resource server was designed as one in the same. But this scenario is not specifically documented in OAuth2 or OIDC, thus the request for threat modeling and/or clarification.
-Brock
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20171002/cc331155/attachment.html>
More information about the Openid-specs-ab
mailing list