[Openid-specs-ab] Introspection Profile for OpenID Connect
jricher at mitre.org
Fri Sep 13 16:10:21 UTC 2013
If you're talking about the ID Token (which I assume you are since
you're talking about using "token1" to log in), then the "acr" value
should be inside the ID token itself, which your app2 can parse.
But why would the person pass the token to app2? Wouldn't app2 want to
start its own session with the user? I don't think you want people to be
able to sling ID tokens around between apps -- the 'aud' claim would be
wrong and it would need to be rejected anyway.
On 09/13/2013 12:00 PM, mike at gluu.org wrote:
> Here is another clarification...
> Lets say I have two apps:
> 1. app1 - requires acr = http://gluu.org/authn/auth_level/1
> 2. app2 - requires acr = http://gluu.org/authn/auth_level/2
> I want SSO between two apps:
> 1) A Person tries to login to app1 (auth_level=1) => got token1
> 2) Then the Person tries to login to app2 with token1 . So app2 needs
> to introspect token1 to get auth_level to make sure it's 2 or higher.
> Is this just out of scope of OpenID Connect ? I thought the use of
> acr was in Connect?
More information about the Openid-specs-ab