[Openid-specs-ab] Id token at token endpoint

Torsten Lodderstedt torsten at lodderstedt.net
Sat Dec 29 09:30:08 UTC 2012


*** taking this discussion to the list again :-) ***

In my opinion, the id token represents an authentication event and it doesn't matter whether this event took place in a web browser or during a backend call.

Regards,
Torsten.

Am 29.12.2012 um 00:41 schrieb Brian Campbell <bcampbell at pingidentity.com>:

> So an ID Token is tied (as much as is possible) to a web session at which the end user is present, which is really only achieved though interaction with the authorization endpoint. I'm only guessing/assuming though. 
> 
> 
> On Fri, Dec 28, 2012 at 3:08 PM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>> Why?
>> 
>> Am 28.12.2012 um 22:56 schrieb Brian Campbell <bcampbell at pingidentity.com>:
>> 
>>> I'd always assumed that the intent was to preclude it?
>>> 
>>> 
>>> On Fri, Dec 28, 2012 at 1:25 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>>>> Hi,
>>>> 
>>>> I just noticed the following statement in messages:
>>>> 
>>>> "Note that id_token MUST NOT be returned if the grant_type is not authorization_code"
>>>> 
>>>> What is the rational for this restriction? I remember discussions not to allow an exchange of refresh tokens for id tokens. That's ok. But I can imagine to provide clients with id tokens based on the password grant type. Do you want to preclude this?
>>>> 
>>>> Regards,
>>>> Torsten.
>>>> 
>>>> 
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121229/03ae2bf3/attachment.html>


More information about the Openid-specs-ab mailing list