[Openid-specs-ab] New Core: 2.3.3.8 RECOMMENDs the same Access Token but...

Nat Sakimura sakimura at gmail.com
Mon Oct 21 17:22:57 UTC 2013


2.3.3.6 seems fine to me.

The section 11. is also new. We need to read them carefully.


2013/10/22 Mike Jones <Michael.Jones at microsoft.com>

>  This, and the related text about the multiple ID Tokens possible with
> the hybrid flow are on the agenda to discuss today.****
>
> ** **
>
> The text about the ID Token in
> http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken2 is
> more important, actually, containing minimum requirements that the issuer
> and subject be the same, etc.****
>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Nat Sakimura
> *Sent:* Monday, October 21, 2013 9:38 AM
> *To:* openid-specs-ab at lists.openid.net
> *Subject:* [Openid-specs-ab] New Core: 2.3.3.8 RECOMMENDs the same Access
> Token but...****
>
> ** **
>
> ** **
>
> The new core recommends the following. This seems to be a new text
> introduced in the new core. ****
>  2.3.3.8.  Access Token****
>
> If an Access Token is returned from both the Authorization Endpoint and
> from the Token Endpoint, which is the case with the response_type values
> code token and code id_token token, it is RECOMMENDED that their values
> be the same.
> ****
>
> ** **
>
> Is this true? I feel like the opposite is true. The reason for getting
> Access Token from both the AuthZ Endpoint and the Token Endpoint is that
> they have different security characteristics: The later is more secure and
> thus trusted. So, there is a value in differentiating between them. e.g.
> the former has lesser expiry time as well as lesser permission. ****
>
> ** **
>
> I feel like it should be as follows: ****
>
> ** **
>  2.3.3.8.  Access Token****
>
> If an Access Token is returned from both the Authorization Endpoint and
> from the Token Endpoint, which is the case with the response_type values
> code token and code id_token token, it is RECOMMENDED that their values
> be different. The access token returned from Authorization Endpoint is more
> vulnerable to various attack so that it has less trust than that returned
> from the Token Endpoint. Thus, the Server MAY give lesser permission and
> shorter life time for the Access Token that is returned from the
> Authorization Endpoint. ****
>
> ** **
>
> Section 2.3 has bunch of bugs which was quite clear in how to fix, but
> this one was not that obvious so I am asking. ****
>
> ** **
>
> Best, ****
>
> ** **
>
> ** **
>
> --
> Nat Sakimura (=nat)****
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en****
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131022/4cf9715b/attachment.html>


More information about the Openid-specs-ab mailing list