[Openid-specs-ab] Introspection Profile for OpenID Connect

Justin Richer jricher at mitre.org
Fri Sep 13 16:10:21 UTC 2013

If you're talking about the ID Token (which I assume you are since 
you're talking about using "token1" to log in), then the "acr" value 
should be inside the ID token itself, which your app2 can parse.

But why would the person pass the token to app2? Wouldn't app2 want to 
start its own session with the user? I don't think you want people to be 
able to sling ID tokens around between apps -- the 'aud' claim would be 
wrong and it would need to be rejected anyway.

  -- Justin

On 09/13/2013 12:00 PM, mike at gluu.org wrote:
> Here is another clarification...
> Lets say I have two apps:
> 1. app1 - requires acr = http://gluu.org/authn/auth_level/1
> 2. app2 - requires acr = http://gluu.org/authn/auth_level/2
> I want SSO between two apps:
> 1) A Person tries to login to app1 (auth_level=1) => got token1
> 2) Then the Person tries to login to app2 with token1 . So app2 needs 
> to introspect token1 to get auth_level to make sure it's 2 or higher.
> Is this just out of scope of OpenID Connect ?  I thought the use of 
> acr was in Connect?
> thx,
> Mike

More information about the Openid-specs-ab mailing list