[Openid-specs-ab] JWT Access Token <> ID Token mixups

Filip Skokan panva.ip at gmail.com
Fri Sep 29 07:56:48 UTC 2017


Hello everyone,

I'm certain you've came across authorization servers issuing JWT-formatted
Access Tokens by now. Most frequently these are following the JWT profile
just like an ID Token does, opening up the possibility an Access Token is a
perfect ID Token lookalike and can be used i.e. as id_token_hint.

   - Is this a valid concern?
   - Shouldn't the JWT "typ" header parameter be used to strong type the ID
   Token (similar to SETs secevent+jwt)?
   - Any other way ID Tokens could have a unique required claims making it
   possible to differentiate between JWT Access Tokens and ID Tokens?

If not part of the specs, should the OPs supporting JWT access tokens be at
least recommended to push unique claims to their JWTs to be able to
distinguish between the different JWT uses?

Penny for your thoughts.

Best Regards,
*Filip Skokan*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20170929/b0603d5f/attachment.html>


More information about the Openid-specs-ab mailing list