<html><head><style type="text/css"><!-- DIV {margin:0px;} --></style></head><body><div style="font-family:tahoma,new york,times,serif;font-size:10pt"><div>It could be that I missed the discussion about the id_token being opaque only in the Lite spec.<br>In the Session Management spec, it is a JWT.<br>Breno, does that remain valid?<br>If so, I will update the Messages spec.<br><br><br>-- Edmund<br></div><div style="font-family:tahoma, new york, times, serif;font-size:10pt"><br><div style="font-family:arial, helvetica, sans-serif;font-size:10pt"><font face="Tahoma" size="2"><hr size="1"><b><span style="font-weight: bold;">From:</span></b> John Bradley <ve7jtb@ve7jtb.com><br><b><span style="font-weight: bold;">To:</span></b> Johnny Bufu <jbufu@janrain.com><br><b><span style="font-weight: bold;">Cc:</span></b> Edmund Jay <ejay@mgi1.com>; openid-specs-ab@lists.openid.net<br><b><span style="font-weight: bold;">Sent:</span></b> Wed, August 10,
2011 11:09:43 AM<br><b><span style="font-weight: bold;">Subject:</span></b> Re: [Openid-specs-ab] Spec call notes 08-Aug-11<br></font><br>There is additional session related information in the id_token. It is only opaque ti the lite spec. <br>A Full client just needs to check the signature and not use the introspection endpoint at all. <br>This is the same thing Facebook is doing with signed request, we have just added a way for a client that docent understand crypto to validate the token.<br><br>Why not use the id_token both places. <br><br>We received strong push back that people had existing formats for access tokens that they did not want to change.<br>My original preference was to use the same JWT for both. <br><br>Google, SalesForce and others wanted a separation between the two.<br>T-Mobile also expressed that that was their preference when I talked to them at the IETF.<br><br>Allowing the client to send a
access token to the introspection endpoint was also problematic for people like DT who want introspection to be stateless.<br><br>I guess the simple answer is that there may be different info in the two tokens.<br><br>John B.<br><br>On 2011-08-10, at 1:51 PM, Johnny Bufu wrote:<br><br>> Why are two tokens needed (access_token and id_token)? I don't see in the spec any reason that would prevent the use of just one token with both introspection and userinfo endpoints.<br>> <br>> Johnny<br>> <br>> On 11-08-08 05:15 PM, Edmund Jay wrote:<br>>> <br>>> Spec call notes 08-Aug-11<br>>> <br>>> Pam Dingle<br>>> John Bradley<br>>> Nat Sakimura<br>>> Johnny Bufu<br>>> George Fletcher<br>>> Edmund Jay<br>>> <br>>> <br>>> <br>>> John made some changes to the OpenID Lite spec<br>>> * changed the Introspection endpoint from GET request to POST request<br>>> due to
the fact the<br>>> the ID Token may be intercepted by referral URLs/Logs, and other methods.<br>>> Breno said in chat with Nat that GET and JSONP may be needed<br>>> John to contact Breno offline for further discussions<br>>> * made other non-controversial changes from feedback<br>>> <br>>> John will work on first draft of OpenID 2.0 compatibility/migration<br>>> spec. Maybe available tomorrow.<br>>> <br>>> Edmund will post first draft of OpendID Connect Messages spec to the<br>>> mailing list.<br>>> <br>>> <br>>> Discussion of JWT and long header names:<br>>> * most preferred longer names<br>>> * most feel that it's too late to make major changes to spec<br>>> * longer or shorter names can be implemented by defining long constant<br>>> values by developers vice versa<br>>> * perhaps better documentation in specs for short names<br>>>
<br>>> Pam has written a OpenID Connect landing page which will be posted to<br>>> the list for feedback<br>>> <br>>> WG to setup new support mailing list not encumbered by IPR agreements<br>>> for general and support questions and feedback.<br>>> <br>>> <br>>> <br>>> <br>>> <br>>> <<a href="http://openid.net/specs/openid-connect-framework-1_0.html" target="_blank">http://openid.net/specs/openid-connect-framework-1_0.html</a>><br>>> <br>>> <br>>> <br>>> <br>>> _______________________________________________<br>>> Openid-specs-ab mailing list<br>>> <a ymailto="mailto:Openid-specs-ab@lists.openid.net" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>> _______________________________________________<br>> Openid-specs-ab mailing list<br>> <a ymailto="mailto:Openid-specs-ab@lists.openid.net" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a><br>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br><br></div></div>
</div></body></html>