[Openid-specs-ab] Breno's comment about id_token

Nat Sakimura sakimura at gmail.com
Thu Aug 18 22:26:12 UTC 2011


I chatted with Breno during the call. Unfortunately he cannot join
today, but he has something to say about 'id_token'

Here is his message.


Breno: sorry, I continue to have major conflicts
I do have something to say about the id_token response type. We should have it.
It's important for the code and code+token use cases
for instance, site A may want to be LoA2 compliant
and ask for 'response_type=code&scope=openid'
in this case they expect to redeem the code for an id_token (plus
possibly refresh_token and access_token)
they do not want to get id_token with code
because the assertion before proof of possession of key violates
security requirements
however, another site may not care about LoA2 and might want to get
the id_token immediately in the response for latency reasons
in this case they will probably issue a request such as
'response_type=code+id_token&scope=openid'
in this case they will receive an id_token immediately in the response
which allow for much faster sign-in experience
these differences are important for market adoption. Latency is often
a deciding factor (as is security)


I propose we go back to specifying id_token whenever we expect it to
be part of the redirect response
e.g.:
'response_type=token&scope=openid'
just gives you a regular access_token
which has access to userinfo
(i.e., 'openid' scope)
'response_type=token+id_token&scope=openid' results in two tokens being returned
'response_type=code...' we already talked about this case
we also have the combinations of code+token with or without id_token,
which are easy to infer

-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


More information about the Openid-specs-ab mailing list