[Openid-specs-ab] New Core: 2.3.3.8 RECOMMENDs the same Access Token but...

Nat Sakimura sakimura at gmail.com
Mon Oct 21 16:38:09 UTC 2013


The new core recommends the following. This seems to be a new text
introduced in the new core.
2.3.3.8.  Access Token If an Access Token is returned from both the
Authorization Endpoint and from the Token Endpoint, which is the case with
the response_type values code token and code id_token token, it is
RECOMMENDED that their values be the same.

Is this true? I feel like the opposite is true. The reason for getting
Access Token from both the AuthZ Endpoint and the Token Endpoint is that
they have different security characteristics: The later is more secure and
thus trusted. So, there is a value in differentiating between them. e.g.
the former has lesser expiry time as well as lesser permission.

I feel like it should be as follows:

2.3.3.8.  Access TokenIf an Access Token is returned from both the
Authorization Endpoint and from the Token Endpoint, which is the case with
the response_type values code token and code id_token token, it is
RECOMMENDED that their values be different. The access token returned from
Authorization Endpoint is more vulnerable to various attack so that it has
less trust than that returned from the Token Endpoint. Thus, the Server MAY
give lesser permission and shorter life time for the Access Token that is
returned from the Authorization Endpoint.

Section 2.3 has bunch of bugs which was quite clear in how to fix, but this
one was not that obvious so I am asking.

Best,


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131022/8d199e3c/attachment.html>


More information about the Openid-specs-ab mailing list