[Openid-specs-ab] JWT Access Token <> ID Token mixups
George Fletcher
gffletch at aol.com
Mon Oct 2 15:10:48 UTC 2017
If the JWT was issued by the same OP/AS it's being presented to as an
id_token_hint, and the OP can securely determine the user from the
access token then I don't think there are any security issues in this
flow. The biggest issue might be that the valid access token is now
flowing through the browser and hence is subject to a man-in-the-browser
capture and replay attack.
Thanks,
George
On 10/2/17 10:31 AM, Filip Skokan wrote:
> Original question was purely concerned about the OPs accepting a JWT
> formatted access tokens in places where ID Token is expected, e.g.
> id_token_hint for authorization or logout request.
>
> Is that something to be concerned about?
>
> Best,
> *Filip Skokan*
>
> On Mon, Oct 2, 2017 at 4:28 PM, George Fletcher <gffletch at aol.com
> <mailto:gffletch at aol.com>> wrote:
>
> In the cases you've run across... do they really use the id_token
> as an access_token? or rather as a bootstrap token into new
> refresh/access tokens? Given that in most cases id_tokens do not
> contain scopes it seems weird to use them as access tokens (the
> different between authentication and authorization).
>
> Thanks,
> George
>
>
> On 10/2/17 3:02 AM, Dominick Baier via Openid-specs-ab wrote:
>> We’ve come across a number of implementations that promote the
>> use of id_tokens as access tokens e.g. Microsoft Azure AD (B2C),
>> Google and Auth0.
>>
>> Every time we argue with e.g. Microsoft - they say “we did our
>> own threat modelling and its fine”. So maybe the spec should be
>> very explicit about why this is not allowed or when exactly this
>> is OK or not.
>>
>> There is a long thread here:
>> https://github.com/IdentityServer/IdentityServer3/issues/2015
>> <https://github.com/IdentityServer/IdentityServer3/issues/2015>
>>
>>
>> -------
>> Dominick Baier
>>
>> On 29. September 2017 at 07:56:56, Filip Skokan via
>> Openid-specs-ab (openid-specs-ab at lists.openid.net
>> <mailto:openid-specs-ab at lists.openid.net>) wrote:
>>
>>> Hello everyone,
>>>
>>> I'm certain you've came across authorization servers issuing
>>> JWT-formatted Access Tokens by now. Most frequently these are
>>> following the JWT profile just like an ID Token does, opening up
>>> the possibility an Access Token is a perfect ID Token lookalike
>>> and can be used i.e. as id_token_hint.
>>>
>>> * Is this a valid concern?
>>> * Shouldn't the JWT "typ" header parameter be used to strong
>>> type the ID Token (similar to SETs secevent+jwt)?
>>> * Any other way ID Tokens could have a unique required claims
>>> making it possible to differentiate between JWT Access
>>> Tokens and ID Tokens?
>>>
>>> If not part of the specs, should the OPs supporting JWT access
>>> tokens be at least recommended to push unique claims to their
>>> JWTs to be able to distinguish between the different JWT uses?
>>>
>>> Penny for your thoughts.
>>>
>>> Best Regards,
>>> *Filip Skokan*
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> <mailto:Openid-specs-ab at lists.openid.net>
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>> <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>>
>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> <mailto:Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>> <http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20171002/e6a5ac5f/attachment.html>
More information about the Openid-specs-ab
mailing list