<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Helvetica, Arial, sans-serif">+1<br>
      <br>
      I would fully expect that the scopes of the two tokens could be
      quite different. To me, changes is expiry time are possible but
      potentially less likely.<br>
      <br>
      Thanks,<br>
      George<br>
      <br>
    </font>
    <div class="moz-cite-prefix">On 10/21/13 12:38 PM, Nat Sakimura
      wrote:<br>
    </div>
    <blockquote
cite="mid:CABzCy2DCNV4rjF8B15XMj8ZqFFBGTkxqkZoLUR-6jYh8bMNcfg@mail.gmail.com"
      type="cite">
      <div dir="ltr">
        <div><br>
        </div>
        <div>The new core recommends the following. This seems to be a
          new text introduced in the new core. </div>
        <h3><span lang="EN">2.3.3.8.  Access Token</span></h3>
        <span
          style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
          lang="EN">If an Access Token is
          returned from both the Authorization Endpoint and from the
          Token Endpoint,
          which is the case with the </span><tt><span
            style="font-size:12pt" lang="EN">response_type</span></tt><span
style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
          lang="EN"> values </span><tt><span style="font-size:12pt"
            lang="EN">code token</span></tt><span
          style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
          lang="EN"> and </span><tt><span style="font-size:12pt"
            lang="EN">code id_token token</span></tt><span
          style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
          lang="EN">, it is RECOMMENDED that their values be the same.</span><br
          clear="all">
        <div><br>
        </div>
        <div>Is this true? I feel like the opposite is true. The reason
          for getting Access Token from both the AuthZ Endpoint and the
          Token Endpoint is that they have different security
          characteristics: The later is more secure and thus trusted.
          So, there is a value in differentiating between them. e.g. the
          former has lesser expiry time as well as lesser permission. </div>
        <div><br>
        </div>
        <div>I feel like it should be as follows: </div>
        <div><br>
        </div>
        <div>
          <h3><span lang="EN">2.3.3.8.  Access Token</span></h3>
          <span
            style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
            lang="EN">If an Access Token is returned from both the
            Authorization Endpoint and from the Token Endpoint, which is
            the case with the </span><tt><span style="font-size:12pt"
              lang="EN">response_type</span></tt><span
            style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
            lang="EN"> values </span><tt><span style="font-size:12pt"
              lang="EN">code token</span></tt><span
            style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
            lang="EN"> and </span><tt><span style="font-size:12pt"
              lang="EN">code id_token token</span></tt><span
            style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
            lang="EN">, it is RECOMMENDED that their values be
            different. The access token returned from Authorization
            Endpoint is more vulnerable to various attack so that it has
            less trust than that returned from the Token Endpoint. Thus,
            the Server MAY give lesser permission and shorter life time
            for the Access Token that is returned from the Authorization
            Endpoint. </span><br>
        </div>
        <div><span
            style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
            lang="EN"><br>
          </span></div>
        <div><span
            style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
            lang="EN">Section 2.3 has bunch of bugs which was quite
            clear in how to fix, but this one was not that obvious so I
            am asking. </span></div>
        <div><span
            style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
            lang="EN"><br>
          </span></div>
        <div><span
            style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
            lang="EN">Best, </span></div>
        <div><span
            style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
            lang="EN"><br>
          </span></div>
        <div><span
            style="font-size:12pt;font-family:Verdana,sans-serif;color:black"
            lang="EN"><br>
          </span></div>
        -- <br>
        Nat Sakimura (=nat)
        <div>Chairman, OpenID Foundation<br>
          <a moz-do-not-send="true" href="http://nat.sakimura.org/"
            target="_blank">http://nat.sakimura.org/</a><br>
          @_nat_en</div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
    </blockquote>
    <br>
    <div class="moz-signature">-- <br>
      <a href="http://connect.me/gffletch" title="View full card on
        Connect.Me"><img src="cid:part2.02080401.02080009@aol.com"
          alt="George Fletcher" height="113" width="359"></a></div>
  </body>
</html>