[Openid-specs-ab] New Core: 2.3.3.8 RECOMMENDs the same Access Token but...

George Fletcher gffletch at aol.com
Mon Oct 21 16:42:38 UTC 2013


+1

I would fully expect that the scopes of the two tokens could be quite 
different. To me, changes is expiry time are possible but potentially 
less likely.

Thanks,
George

On 10/21/13 12:38 PM, Nat Sakimura wrote:
>
> The new core recommends the following. This seems to be a new text 
> introduced in the new core.
>
>
>       2.3.3.8.  Access Token
>
> If an Access Token is returned from both the Authorization Endpoint 
> and from the Token Endpoint, which is the case with the 
> response_typevalues code tokenand code id_token token, it is 
> RECOMMENDED that their values be the same.
>
> Is this true? I feel like the opposite is true. The reason for getting 
> Access Token from both the AuthZ Endpoint and the Token Endpoint is 
> that they have different security characteristics: The later is more 
> secure and thus trusted. So, there is a value in differentiating 
> between them. e.g. the former has lesser expiry time as well as lesser 
> permission.
>
> I feel like it should be as follows:
>
>
>       2.3.3.8.  Access Token
>
> If an Access Token is returned from both the Authorization Endpoint 
> and from the Token Endpoint, which is the case with the 
> response_type values code token and code id_token token, it is 
> RECOMMENDED that their values be different. The access token returned 
> from Authorization Endpoint is more vulnerable to various attack so 
> that it has less trust than that returned from the Token Endpoint. 
> Thus, the Server MAY give lesser permission and shorter life time for 
> the Access Token that is returned from the Authorization Endpoint.
>
> Section 2.3 has bunch of bugs which was quite clear in how to fix, but 
> this one was not that obvious so I am asking.
>
> Best,
>
>
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-- 
George Fletcher <http://connect.me/gffletch>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131021/82528a5f/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XeC
Type: image/png
Size: 78938 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131021/82528a5f/attachment-0001.png>


More information about the Openid-specs-ab mailing list