[Openid-specs-ab] Lite Draft 8

John Bradley ve7jtb at ve7jtb.com
Wed Aug 17 00:16:05 UTC 2011


On 2011-08-16, at 8:08 PM, Johnny Bufu wrote:

> 
> On 11-08-16 04:44 PM, John Bradley wrote:
>> Perhaps just not calling it out as opaque. We don't say that about the
>> user-info access token, because it is assumed in OAuth.
> 
> Isn't there another relevant difference that would warrant calling it opaque for some parties but not for others?
> 
> The ID token will actually contain payload/information that can be extracted and understood by servers and full clients; the access token is just an identifier for a grant entry stored by the server.

True but we don't talk about inspecting it directly.  In the full spec it is not opaque.  I just don't know that we need to call out that something that is treated as an access token could also be used as something else.
I was wondering if we are just giving too much information.

> 
>> I am leaning towards describing it as the access token for the Check
>> Session endpoint.
> 
> Is the check session endpoint the same as the introspection endpoint?

Yes, they just wound up being called different things in different versions,  they are the same endpoint.   We are standardizing the name as Check Session.
> 
>> I asked in another email if id_token is perhaps a bad name? Perhaps session?
> 
> I'm fine with either; not sure if the name led to confusion, or the lack of explanations.
> 
> If it can be used for anything else besides sending it to the check session endpoint, I'd prefer calling it id_token: it describes reasonably well what it is, as it contains the user_id field. Successful processing results in verified identification of the authenticated user.

The token can be directly inspected and is sent to other Session endpoints for refresh etc.

It is just in the lite spec we need to say send the id_token value to the Check Session endpoint as the access token value.   I will work on it.

> 
> Johnny

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110816/7618e4f5/attachment.p7s>


More information about the Openid-specs-ab mailing list