<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
If the JWT was issued by the same OP/AS it's being presented to as
an id_token_hint, and the OP can securely determine the user from
the access token then I don't think there are any security issues in
this flow. The biggest issue might be that the valid access token is
now flowing through the browser and hence is subject to a
man-in-the-browser capture and replay attack.<br>
<br>
Thanks,<br>
George<br>
<br>
<div class="moz-cite-prefix">On 10/2/17 10:31 AM, Filip Skokan
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CALAqi_9drLBE_-Kb909rw+4bRA5mfL-6GFUtDz+WKpQU38Epig@mail.gmail.com">
<div dir="ltr">
<div>Original question was purely concerned about the OPs
accepting a JWT formatted access tokens in places where ID
Token is expected, e.g. id_token_hint for authorization or
logout request.<br>
</div>
<div><br>
</div>
<div>Is that something to be concerned about?</div>
<div><br>
</div>
<div>
<div class="gmail_extra">
<div>
<div class="gmail_signature"
data-smartmail="gmail_signature">Best,<br>
<b>Filip Skokan</b></div>
</div>
<br>
<div class="gmail_quote">On Mon, Oct 2, 2017 at 4:28 PM,
George Fletcher <span dir="ltr"><<a
href="mailto:gffletch@aol.com" target="_blank"
moz-do-not-send="true">gffletch@aol.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> In the cases
you've run across... do they really use the id_token
as an access_token? or rather as a bootstrap token
into new refresh/access tokens? Given that in most
cases id_tokens do not contain scopes it seems weird
to use them as access tokens (the different between
authentication and authorization).<br>
<br>
Thanks,<br>
George
<div>
<div class="h5"><br>
<br>
<div class="m_9065664049678016792moz-cite-prefix">On
10/2/17 3:02 AM, Dominick Baier via
Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite">
<div id="m_9065664049678016792bloop_customfont"
style="font-family:Helvetica,Arial;font-size:13px;color:rgba(0,0,0,1.0);margin:0px;line-height:auto">We’ve
come across a number of implementations that
promote the use of id_tokens as access tokens
e.g. Microsoft Azure AD (B2C), Google and
Auth0.</div>
<div><br>
</div>
<div>Every time we argue with e.g. Microsoft -
they say “we did our own threat modelling and
its fine”. So maybe the spec should be very
explicit about why this is not allowed or when
exactly this is OK or not.</div>
<div><br>
</div>
<div>There is a long thread here:</div>
<div><a
href="https://github.com/IdentityServer/IdentityServer3/issues/2015"
target="_blank" moz-do-not-send="true">https://github.com/<wbr>IdentityServer/<wbr>IdentityServer3/issues/2015</a></div>
<br>
<div
id="m_9065664049678016792bloop_sign_1506927336596803072"
class="m_9065664049678016792bloop_sign">
<div><br>
</div>
<div>-------</div>
<div>Dominick Baier</div>
</div>
<br>
<p class="m_9065664049678016792airmail_on">On
29. September 2017 at 07:56:56, Filip Skokan
via Openid-specs-ab (<a
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank" moz-do-not-send="true">openid-specs-ab@lists.openid.<wbr>net</a>)
wrote:</p>
<blockquote type="cite"
class="m_9065664049678016792clean_bq"><span>
<div>
<div>
<div dir="ltr">
<div>Hello everyone,</div>
<div><br>
</div>
<div>I'm certain you've came across
authorization servers issuing
JWT-formatted Access Tokens by now.
Most frequently these are following
the JWT profile just like an ID
Token does, opening up the
possibility an Access Token is a
perfect ID Token lookalike and can
be used i.e. as id_token_hint.</div>
<div>
<ul>
<li>Is this a valid concern?<br>
</li>
<li>Shouldn't the JWT "typ" header
parameter be used to strong type
the ID Token (similar to
SETs secevent+jwt)?</li>
<li>Any other way ID Tokens could
have a unique required claims
making it possible to
differentiate between JWT Access
Tokens and ID Tokens?</li>
</ul>
<div>If not part of the specs,
should the OPs supporting JWT
access tokens be at least
recommended to push unique claims
to their JWTs to be able to
distinguish between the different
JWT uses?</div>
<div><br>
</div>
<div>Penny for your thoughts.<br>
</div>
<div><br>
</div>
</div>
<div>
<div
class="m_9065664049678016792gmail_signature">Best
Regards,<br>
<b>Filip Skokan</b></div>
</div>
</div>
______________________________<wbr>_________________
<br>
Openid-specs-ab mailing list <br>
<a
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank" moz-do-not-send="true">Openid-specs-ab@lists.openid.<wbr>net</a>
<br>
<a
href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
target="_blank" moz-do-not-send="true">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a>
<br>
</div>
</div>
</span></blockquote>
<br>
<fieldset
class="m_9065664049678016792mimeAttachmentHeader"></fieldset>
<br>
<pre>______________________________<wbr>_________________
Openid-specs-ab mailing list
<a class="m_9065664049678016792moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" moz-do-not-send="true">Openid-specs-ab@lists.openid.<wbr>net</a>
<a class="m_9065664049678016792moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" moz-do-not-send="true">http://lists.openid.net/<wbr>mailman/listinfo/openid-specs-<wbr>ab</a>
</pre>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</blockquote>
</body>
</html>