[Openid-specs-ab] Identity impersonation?

Richer, Justin P. jricher at mitre.org
Mon Nov 24 16:42:26 UTC 2014


It's fundamentally up to the OP to decide which "user" to issue the token for. In the usual case, this means that the person at the keyboard is given one identity and that's the identity that is communicated. But there's nothing stopping an OP from issuing an ID token for a different account if it wants to -- but your RPs had better know that's going on, or they won't be able to trust the OP anymore. With federated protocols, the RP is at the mercy of the OP's trust decisions, and this is frankly what scares people away from federation at first glance. But if the OP is known and it has known and audit able and predictable behavior, then the RP can make the appropriate trust decisions based on that.

The token work that Mike mentioned in the OAuth WG is something different, and I don't think it's what you're after.

 -- Justin


On Nov 24, 2014, at 10:22 AM, Vladimir Dzhuvinov / NimbusDS <vladimir at nimbusds.com> wrote:

> Hi guys,
> 
> We have a customer who asked whether OIDC supports impersonation, i.e.
> the ability to login as somebody else and receive an id_token for the
> impersonated user.
> 
> My understanding is that id_tokens should always be linked to a true
> identity, and that impersonation should happen by means of an access
> token only (here I assume that the OP is also an OAuth server). Am I
> correct on this?
> 
> Thanks,
> 
> Vladimir
> 
> --
> Vladimir Dzhuvinov
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list