[Openid-specs-ab] Using ID token as JWT assertion grant

Vladimir Dzhuvinov vladimir at connect2id.com
Mon Sep 28 13:24:56 UTC 2015


Hi Thomas,

On 28.09.2015 15:03, Thomas Broyer wrote:
> On Mon, Sep 28, 2015 at 1:16 PM Vladimir Dzhuvinov <vladimir at connect2id.com>
> wrote:
>
>> Hello,
>>
>> Is anyone using ID tokens as a JWT assertion grant to obtain access
>> tokens from an AS?
>>
> Google is at least using something very similar:
> https://developers.google.com/identity/protocols/OAuth2ServiceAccount
>

Thanks for the pointer. This is an example of a client-generated JWT grant.

>> How do you go about satisfying the requirement that the AS URL (or AS
>> token endpoint URL) must be present in the ID token audience (aud)? (The
>> ID token audience is typically set to the client app).
>>
> AIUI, the idea is that the JWT is generated *by* the client.
>
So in that case the ID token should be included as a claim in a JWT
generated by the client? The idea is to enable a client obtain an access
token on behalf of a logged in user by means of implicit consent, but
without having to go through a front-channel OAuth request.

Vladimir

-- 
Vladimir Dzhuvinov




More information about the Openid-specs-ab mailing list