[Openid-specs-ab] Introspection Profile for OpenID Connect

mike at gluu.org mike at gluu.org
Fri Sep 13 16:18:54 UTC 2013


Justin,

Thanks for the reply.

I guess if there is always a 1:1 relationship between access tokens and 
id tokens, that works. It is a little counter-intuitive, because an acr 
is an attribute of the authn transaction, not a user claim. So it seemed 
to make sense to publish the acr in the JWT returned via introspection 
on an access token.

- Mike


On 2013-09-13 11:10, Justin Richer wrote:
> If you're talking about the ID Token (which I assume you are since
> you're talking about using "token1" to log in), then the "acr" value
> should be inside the ID token itself, which your app2 can parse.
> 
> But why would the person pass the token to app2? Wouldn't app2 want
> to start its own session with the user? I don't think you want people
> to be able to sling ID tokens around between apps -- the 'aud' claim
> would be wrong and it would need to be rejected anyway.
> 
>  -- Justin
> 
> On 09/13/2013 12:00 PM, mike at gluu.org wrote:
>> Here is another clarification...
>> 
>> Lets say I have two apps:
>> 1. app1 - requires acr = http://gluu.org/authn/auth_level/1
>> 2. app2 - requires acr = http://gluu.org/authn/auth_level/2
>> 
>> I want SSO between two apps:
>> 
>> 1) A Person tries to login to app1 (auth_level=1) => got token1
>> 
>> 2) Then the Person tries to login to app2 with token1 . So app2 needs 
>> to introspect token1 to get auth_level to make sure it's 2 or higher.
>> 
>> Is this just out of scope of OpenID Connect ?  I thought the use of 
>> acr was in Connect?
>> 
>> thx,
>> 
>> Mike


More information about the Openid-specs-ab mailing list