<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
In the cases you've run across... do they really use the id_token as
an access_token? or rather as a bootstrap token into new
refresh/access tokens? Given that in most cases id_tokens do not
contain scopes it seems weird to use them as access tokens (the
different between authentication and authorization).<br>
<br>
Thanks,<br>
George<br>
<br>
<div class="moz-cite-prefix">On 10/2/17 3:02 AM, Dominick Baier via
Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAO7Ng+v0y2-iGaV5oL7L8ZY0V77zzYdxiLvugYoEJvqiZ-Mq5A@mail.gmail.com">
<style>body{font-family:Helvetica,Arial;font-size:13px}</style>
<div id="bloop_customfont"
style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">We’ve
come across a number of implementations that promote the use of
id_tokens as access tokens e.g. Microsoft Azure AD (B2C), Google
and Auth0.</div>
<div><br>
</div>
<div>Every time we argue with e.g. Microsoft - they say “we did
our own threat modelling and its fine”. So maybe the spec should
be very explicit about why this is not allowed or when exactly
this is OK or not.</div>
<div><br>
</div>
<div>There is a long thread here:</div>
<div><a
href="https://github.com/IdentityServer/IdentityServer3/issues/2015"
moz-do-not-send="true">https://github.com/IdentityServer/IdentityServer3/issues/2015</a></div>
<br>
<div id="bloop_sign_1506927336596803072" class="bloop_sign">
<div><br>
</div>
<div>-------</div>
<div>Dominick Baier</div>
</div>
<br>
<p class="airmail_on">On 29. September 2017 at 07:56:56, Filip
Skokan via Openid-specs-ab (<a
href="mailto:openid-specs-ab@lists.openid.net"
moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>)
wrote:</p>
<blockquote type="cite" class="clean_bq"><span>
<div>
<div>
<title></title>
<div dir="ltr">
<div>Hello everyone,</div>
<div><br>
</div>
<div>I'm certain you've came across authorization
servers issuing
JWT-formatted Access Tokens by now. Most frequently
these are
following the JWT profile just like an ID Token does,
opening up
the possibility an Access Token is a perfect ID Token
lookalike and
can be used i.e. as id_token_hint.</div>
<div>
<ul>
<li>Is this a valid concern?<br>
</li>
<li>Shouldn't the JWT "typ" header parameter be used
to strong type
the ID Token (similar to SETs secevent+jwt)?</li>
<li>Any other way ID Tokens could have a unique
required claims
making it possible to differentiate between JWT
Access Tokens and
ID Tokens?</li>
</ul>
<div>If not part of the specs, should the OPs
supporting JWT access
tokens be at least recommended to push unique claims
to their JWTs
to be able to distinguish between the different JWT
uses?</div>
<div><br>
</div>
<div>Penny for your thoughts.<br>
</div>
<div><br>
</div>
</div>
<div>
<div class="gmail_signature">Best Regards,<br>
<b>Filip Skokan</b></div>
</div>
</div>
_______________________________________________
<br>
Openid-specs-ab mailing list
<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"
moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a>
<br>
<a
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
moz-do-not-send="true">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
<br>
</div>
</div>
</span></blockquote>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</body>
</html>