[Openid-specs-ab] Revised submission :: OpenID Connect Key Binding
Dick Hardt
dick.hardt at gmail.com
Tue Oct 7 14:40:38 UTC 2025
I don't know the details of how kubeclt -- if it is using the id_token as
an access token I would consider that to be problematic.
I'm unclear what use case there is for a cross domain id_token -- VCs tend
to fit that use case much better -- which is quite different than the uses
cases we want to use id_token key binding. We really do want an id_token.
On Tue, Oct 7, 2025 at 2:45 PM <george at practicalidentity.com> wrote:
> Hi Dick and Ethan,
>
> Thanks for the updated version. The scope is much more clear in this
> version.
>
> In Security Considerations section 3.3 there is a prohibition with using
> the id_token as an access token. Yet in the kubeclt example that has been
> mentioned a few times in the email thread, the id_token IS used as an
> access token. This is driven partly from the existing behavior of stuffing
> attributes for ABAC and roles for RBAC into the id_token.
>
> I also believe that there is a need for an identity token that is intended
> to cross trust-domain boundaries. I’m thinking it may make sense to define
> a mechanism that serves both the single RP (and its components) as well as
> the larger use case of crossing trust-domain boundaries. I’d expect that
> decentralized systems will need this capability (e.g. bluesky).
>
> George Fletcher
> Identity Standards Architect
> Practical Identity LLC
>
>
>
> On Oct 1, 2025, at 7:13 AM, Dick Hardt via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> Attached is a revised submission in HTML taking into consideration the
> feedback from the recent call for adoption.
>
> repo: https://github.com/dickhardt/openid-key-binding
> online html: https://dickhardt.github.io/openid-key-binding/main.html
>
> The authors would like to thank Jacob for his review and feedback.
>
> /Dick & Ethan
> <main.html>_______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20251007/29d49cfc/attachment.htm>
More information about the Openid-specs-ab
mailing list