<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">The id_token is the access token for the check session endpoint.<div><br></div><div>Only the id_token is sent to the check session endpoint.</div><div><br></div><div>As Oauth only has one access token we have to give the access token for the session endpoints a separate name. That is id_token. I did rase the possibility of calling it session but no one took me up on that.</div><div><br></div><div>The access token for the check session endpoint is a signed JWT that way a client can inspect it directly and never use the check session endpoint.</div><div><br></div><div>John B.<br><div><div>On 2011-08-19, at 3:06 PM, Allen Tom wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">In section 3.3.1 - Are both the access_token and the id_token supposed to be sent to the Check Session endpoint? The way that Section 3.3.1 in Draft 9 is currently written, it sounds like only the id_token is sent in the request, and that the id_token is actually the access_token.<div>
<br></div><div>It would probably be helpful to have an example Check Session request in the spec.<br><div><br></div><div>Allen</div><div><div><br></div><div><br><div class="gmail_quote">On Fri, Aug 19, 2011 at 12:02 PM, Allen Tom <span dir="ltr"><<a href="mailto:allentomdude@gmail.com">allentomdude@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">The explanation in Section 3 regarding when to use the Implicit vs Code flow is vague, because it's not clear as to what it means for a client to securely maintain state between itself and the auth server.<div>
<br></div>
<div>It might be better to just say that the Code flow should be used if the redirect_uri doesn't use HTTPS, and if the client is able to securely store its client_secret.</div><div><br></div><font color="#888888"><div>
Allen</div><div><br>
<div><br></div></div>
</font></blockquote></div><br></div></div></div>
</blockquote></div><br></div></body></html>