[Openid-specs-ab] Introspection Profile for OpenID Connect

John Bradley ve7jtb at ve7jtb.com
Fri Sep 13 16:51:43 UTC 2013

The JWT is returned on the authorization response or on the response from the token endpoint.   There is no need to introspect the access token to get it.   The access token is not guaranteed to be tightly bound to the session.    If the client can't validate signatures then using the code flow and getting the id_token from the token endpoint lets them use it by just decoding the base64url encoding.   Creating a introspection  endpoint for id_tokens that would only do base64url decoding was scrapped in the spec about a year ago as not useful, and just another endpoint for Idp to implement.

On 2013-09-13, at 9:18 AM, mike at gluu.org wrote:

> Justin,
> Thanks for the reply.
> I guess if there is always a 1:1 relationship between access tokens and id tokens, that works. It is a little counter-intuitive, because an acr is an attribute of the authn transaction, not a user claim. So it seemed to make sense to publish the acr in the JWT returned via introspection on an access token.
> - Mike
> On 2013-09-13 11:10, Justin Richer wrote:
>> If you're talking about the ID Token (which I assume you are since
>> you're talking about using "token1" to log in), then the "acr" value
>> should be inside the ID token itself, which your app2 can parse.
>> But why would the person pass the token to app2? Wouldn't app2 want
>> to start its own session with the user? I don't think you want people
>> to be able to sling ID tokens around between apps -- the 'aud' claim
>> would be wrong and it would need to be rejected anyway.
>> -- Justin
>> On 09/13/2013 12:00 PM, mike at gluu.org wrote:
>>> Here is another clarification...
>>> Lets say I have two apps:
>>> 1. app1 - requires acr = http://gluu.org/authn/auth_level/1
>>> 2. app2 - requires acr = http://gluu.org/authn/auth_level/2
>>> I want SSO between two apps:
>>> 1) A Person tries to login to app1 (auth_level=1) => got token1
>>> 2) Then the Person tries to login to app2 with token1 . So app2 needs to introspect token1 to get auth_level to make sure it's 2 or higher.
>>> Is this just out of scope of OpenID Connect ?  I thought the use of acr was in Connect?
>>> thx,
>>> Mike
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4507 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130913/3c478692/attachment-0001.p7s>

More information about the Openid-specs-ab mailing list