[Openid-specs-ab] Lite Draft 8

Johnny Bufu jbufu at janrain.com
Tue Aug 16 23:32:44 UTC 2011


On 11-08-16 12:55 PM, Allen Tom wrote:
> Based on my feedback, and also from what I read from George and Johnny,
> it sounds like the id_token should either be removed from the Lite spec
> (is it really required for a Lite implementation? It appears to be an
> optimization)

It was explained on the call yesterday that the ID token identifies the 
information captured by the server about a given authentication event. 
It is session-based, expires as soon as the user logs out of their IdP 
(or maybe sooner?). Lite clients can retrieve the data associated with 
it from the introspection endpoint. Full clients can verify the 
signature and extract authentication data from it themselves.

In other words, the ID token is the identifier for the "authenticated" 
attribute of a user.

The OAuth2 access token is longer lived and can be used by the client to 
retrieve user profile data (or claims/attributes) without the user being 
present from the userinfo endpoint.

> or perhaps if it needs to stay in the spec, then it should
> be definitely better documented.

+1, I raised the same issue on the call yesterday, John said he would 
add explanations for the ID token.

> The id_token definition in Section 2 says that it's opaque in the Lite
> profile, which at least to me, means that implementors can ignore it.

To me it means that a lite client doesn't have to understand its 
contents, parse or extract data from it. Just store, compare or pass it 
along as required by the protocol.

I still think that the term "opaque" should be targeted at one or more 
parties that handle the token, not at a document.

Johnny


More information about the Openid-specs-ab mailing list