[Openid-specs-ab] New Core: 2.3.3.8 RECOMMENDs the same Access Token but...

Nat Sakimura sakimura at gmail.com
Mon Oct 21 17:56:59 UTC 2013


OK. That's probably why I did not find any issue with it :-)


2013/10/22 Mike Jones <Michael.Jones at microsoft.com>

>  The text on using refresh tokens in section 11 is not new.  The section
> headings are.  That being said, more review of any section is always
> welcomed!****
>
> ** **
>
>                                                             -- Mike****
>
> ** **
>
> *From:* Nat Sakimura [mailto:sakimura at gmail.com]
> *Sent:* Monday, October 21, 2013 10:23 AM
> *To:* Mike Jones
> *Cc:* openid-specs-ab at lists.openid.net
> *Subject:* Re: [Openid-specs-ab] New Core: 2.3.3.8 RECOMMENDs the same
> Access Token but...****
>
> ** **
>
> 2.3.3.6 seems fine to me. ****
>
> ** **
>
> The section 11. is also new. We need to read them carefully. ****
>
> ** **
>
> 2013/10/22 Mike Jones <Michael.Jones at microsoft.com>****
>
> This, and the related text about the multiple ID Tokens possible with the
> hybrid flow are on the agenda to discuss today.****
>
>  ****
>
> The text about the ID Token in
> http://openid.net/specs/openid-connect-core-1_0.html#HybridIDToken2 is
> more important, actually, containing minimum requirements that the issuer
> and subject be the same, etc.****
>
>  ****
>
>                                                             -- Mike****
>
>  ****
>
> *From:* openid-specs-ab-bounces at lists.openid.net [mailto:
> openid-specs-ab-bounces at lists.openid.net] *On Behalf Of *Nat Sakimura
> *Sent:* Monday, October 21, 2013 9:38 AM
> *To:* openid-specs-ab at lists.openid.net
> *Subject:* [Openid-specs-ab] New Core: 2.3.3.8 RECOMMENDs the same Access
> Token but...****
>
>  ****
>
>  ****
>
> The new core recommends the following. This seems to be a new text
> introduced in the new core. ****
>  2.3.3.8.  Access Token****
>
> If an Access Token is returned from both the Authorization Endpoint and
> from the Token Endpoint, which is the case with the response_type values
> code token and code id_token token, it is RECOMMENDED that their values
> be the same.
> ****
>
>  ****
>
> Is this true? I feel like the opposite is true. The reason for getting
> Access Token from both the AuthZ Endpoint and the Token Endpoint is that
> they have different security characteristics: The later is more secure and
> thus trusted. So, there is a value in differentiating between them. e.g.
> the former has lesser expiry time as well as lesser permission. ****
>
>  ****
>
> I feel like it should be as follows: ****
>
>  ****
>  2.3.3.8.  Access Token****
>
> If an Access Token is returned from both the Authorization Endpoint and
> from the Token Endpoint, which is the case with the response_type values
> code token and code id_token token, it is RECOMMENDED that their values
> be different. The access token returned from Authorization Endpoint is more
> vulnerable to various attack so that it has less trust than that returned
> from the Token Endpoint. Thus, the Server MAY give lesser permission and
> shorter life time for the Access Token that is returned from the
> Authorization Endpoint. ****
>
>  ****
>
> Section 2.3 has bunch of bugs which was quite clear in how to fix, but
> this one was not that obvious so I am asking. ****
>
>  ****
>
> Best, ****
>
>  ****
>
>  ****
>
> --
> Nat Sakimura (=nat)****
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en****
>
>
>
> ****
>
> ** **
>
> --
> Nat Sakimura (=nat)****
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en****
>



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20131022/c21ad514/attachment.html>


More information about the Openid-specs-ab mailing list