[Openid-specs-ab] Issue #907: Core - 2.3.3.8. Access Token - ATs should be different. (openid/connect)

Nat Sakimura issues-reply at bitbucket.org
Mon Dec 2 17:00:26 UTC 2013


New issue 907: Core - 2.3.3.8. Access Token - ATs should be different.
https://bitbucket.org/openid/connect/issue/907/core-2338-access-token-ats-should-be

Nat Sakimura:

Current text states: 

If an Access Token is returned from both the Authorization Endpoint and from the Token Endpoint, which is the case with the response_type values code token and code id_token token, their values MAY be the same or in some cases, they might be different.

In my comments back in October 22, I have pointed out that they should be different and provided the following text. The WG also have agreed that they should be different as the security property is different. Therefore, I propose to adopt the text provided on Oct. 22, which is: 

If an Access Token is returned from both the Authorization Endpoint and from the Token Endpoint, which is the case with the response_type values code token and code id_token token, it is RECOMMENDED that their values be different. The access token returned from Authorization Endpoint is more vulnerable to various attacks so that it has less trust than that returned from the Token Endpoint. Thus, the Server MAY give lesser scope and/or shorter lifetime for the Access Token that is returned from the Authorization Endpoint. 




More information about the Openid-specs-ab mailing list