[Openid-specs-ab] Issue #907: Core - 220.127.116.11. Access Token - ATs should be different. (openid/connect)
Michael.Jones at microsoft.com
Mon Dec 2 19:17:01 UTC 2013
I have two problems with the proposed text. First, and foremost, if we recommend that the two access tokens be different, we're making simple things complicated, which is the opposite of our design philosophy. I would expect that a normal implementation would return an access token that's appropriate for the front channel on the front channel and then return the same access token on the back channel. If it's safe enough for the front channel, it's also safe on the back channel. That's keeping simple things simple.
Returning different access tokens is an advanced case, which I'll note that we have no syntax for governing. The scopes and "claims" logic just talk about *the* access token, not multiple access tokens, nor do we want to introduce new syntax to differentiate between them now. We shouldn't be recommending advanced behavior that is incompletely specified.
Secondly, the second sentence should actually be part of the security considerations - not the normative text about this case. It would be fine to include this as part of a general treatment about the security differences between tokens returned on the front channel and on the back channel. If you want to propose specific security considerations text along those lines, I'd welcome that. But this doesn't belong here.
Therefore, I believe that this proposal should be rejected, and possibly replaced by a new proposal for additional security considerations text.
From: openid-specs-ab-bounces at lists.openid.net [mailto:openid-specs-ab-bounces at lists.openid.net] On Behalf Of Nat Sakimura
Sent: Monday, December 02, 2013 9:00 AM
To: openid-specs-ab at lists.openid.net
Subject: [Openid-specs-ab] Issue #907: Core - 18.104.22.168. Access Token - ATs should be different. (openid/connect)
New issue 907: Core - 22.214.171.124. Access Token - ATs should be different.
Current text states:
If an Access Token is returned from both the Authorization Endpoint and from the Token Endpoint, which is the case with the response_type values code token and code id_token token, their values MAY be the same or in some cases, they might be different.
In my comments back in October 22, I have pointed out that they should be different and provided the following text. The WG also have agreed that they should be different as the security property is different. Therefore, I propose to adopt the text provided on Oct. 22, which is:
If an Access Token is returned from both the Authorization Endpoint and from the Token Endpoint, which is the case with the response_type values code token and code id_token token, it is RECOMMENDED that their values be different. The access token returned from Authorization Endpoint is more vulnerable to various attacks so that it has less trust than that returned from the Token Endpoint. Thus, the Server MAY give lesser scope and/or shorter lifetime for the Access Token that is returned from the Authorization Endpoint.
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
More information about the Openid-specs-ab