[Openid-specs-ab] New Core: 2.3.3.8 RECOMMENDs the same Access Token but...

Vladimir Dzhuvinov / NimbusDS vladimir at nimbusds.com
Tue Oct 22 07:37:20 UTC 2013


That was a good catch. My suggestion is to use "MAY" instead of
"RECOMMENDED", since the OP may also serve simple requests where all
claims granted by the access tokens are deemed non-sensitive by the OP.
This also clears the contradiction with the second sentence which says
"the Server MAY give lesser...".

The reworked paragraph could read

***
If an Access Token is returned from both the Authorization Endpoint and
from the Token Endpoint, which is the case with the response_type values
code token and code id_token token, their values MAY be different. The
access token returned from Authorization Endpoint is more vulnerable to
various attacks so that it has less trust than that returned from the
Token Endpoint. Thus, the Server MAY give lesser permission and shorter
life time for the Access Token that is returned from the Authorization
Endpoint. 
***

Cheers,

Vladimir

--
Vladimir Dzhuvinov : www.NimbusDS.com : vladimir at nimbusds.com


-------- Original Message --------
Subject: Re: [Openid-specs-ab] New Core: 2.3.3.8 RECOMMENDs the same
Access Token but...
From: George Fletcher <gffletch at aol.com>
Date: Mon, October 21, 2013 5:42 pm
To: Nat Sakimura <sakimura at gmail.com>, 
"openid-specs-ab at lists.openid.net" <openid-specs-ab at lists.openid.net>

 +1
 
 I would fully expect that the scopes of the two tokens could be quite
different. To me, changes is expiry time are possible but potentially
less likely.
 
 Thanks,
 George
 
  On 10/21/13 12:38 PM, Nat Sakimura wrote:
 
  
 
The new core recommends the following. This seems to be a new text
introduced in the new core. 
2.3.3.8.  Access Token If an Access Token is returned from both the
Authorization Endpoint and from the Token Endpoint, which is the case
with the response_type values code token and code id_token token, it is
RECOMMENDED that their values be the same.
 
 
Is this true? I feel like the opposite is true. The reason for getting
Access Token from both the AuthZ Endpoint and the Token Endpoint is that
they have different security characteristics: The later is more secure
and thus trusted. So, there is a value in differentiating between them.
e.g. the former has lesser expiry time as well as lesser permission. 

 
I feel like it should be as follows: 

 
2.3.3.8.  Access Token If an Access Token is returned from both the
Authorization Endpoint and from the Token Endpoint, which is the case
with the response_type values code token and code id_token token, it is
RECOMMENDED that their values be different. The access token returned
from Authorization Endpoint is more vulnerable to various attack so that
it has less trust than that returned from the Token Endpoint. Thus, the
Server MAY give lesser permission and shorter life time for the Access
Token that is returned from the Authorization Endpoint. 
 

 
Section 2.3 has bunch of bugs which was quite clear in how to fix, but
this one was not that obvious so I am asking. 

 
Best, 

 

 
-- 
 Nat Sakimura (=nat) Chairman, OpenID Foundation
 http://nat.sakimura.org/
 @_nat_en


  
 _______________________________________________Openid-specs-ab mailing
listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
 
 -- 
 
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-specs-ab


More information about the Openid-specs-ab mailing list