<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<font face="Helvetica, Arial, sans-serif">I don't think so because
it's a hint. If that user doesn't want to sign in, they can often
switch to a different user.</font><br>
<br>
<div class="moz-cite-prefix">On 10/3/17 12:35 PM, Phil Hunt wrote:<br>
</div>
<blockquote type="cite"
cite="mid:5805399E-3707-41E6-9ABA-7B0058673CC3@oracle.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Isn’t there an audience issue here?
<div class=""><br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal;
text-align: start; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap: break-word;
-webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing:
normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing:
normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;" class="">
<div style="color: rgb(0, 0, 0); letter-spacing:
normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width:
0px; word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;"
class="">
<div style="color: rgb(0, 0, 0); letter-spacing:
normal; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal;
word-spacing: 0px; -webkit-text-stroke-width:
0px; word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;"
class="">
<div style="color: rgb(0, 0, 0);
letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;"
class="">
<div style="color: rgb(0, 0, 0);
letter-spacing: normal; text-align: start;
text-indent: 0px; text-transform: none;
white-space: normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px; word-wrap:
break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;"
class="">
<div style="color: rgb(0, 0, 0);
letter-spacing: normal; text-align:
start; text-indent: 0px; text-transform:
none; white-space: normal; word-spacing:
0px; -webkit-text-stroke-width: 0px;
word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;"
class="">
<div style="color: rgb(0, 0, 0);
letter-spacing: normal; text-align:
start; text-indent: 0px;
text-transform: none; white-space:
normal; word-spacing: 0px;
-webkit-text-stroke-width: 0px;
word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space;" class="">
<div class=""><span
class="Apple-style-span"
style="border-collapse: separate;
line-height: normal;
border-spacing: 0px;">
<div class="" style="word-wrap:
break-word; -webkit-nbsp-mode:
space; -webkit-line-break:
after-white-space;">
<div class="">
<div class="">
<div class="">Phil</div>
<div class=""><br class="">
</div>
<div class="">Oracle
Corporation, Identity
Cloud Services Architect</div>
<div class="">@independentid</div>
<div class=""><a
href="http://www.independentid.com"
class=""
moz-do-not-send="true">www.independentid.com</a></div>
</div>
</div>
</div>
</span><a
href="mailto:phil.hunt@oracle.com"
class="" style="orphans: 2;
widows: 2;" moz-do-not-send="true">phil.hunt@oracle.com</a></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Oct 2, 2017, at 8:10 AM, George Fletcher
via Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net" class=""
moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div text="#000000" bgcolor="#FFFFFF" class=""> If the JWT
was issued by the same OP/AS it's being presented to as
an id_token_hint, and the OP can securely determine the
user from the access token then I don't think there are
any security issues in this flow. The biggest issue
might be that the valid access token is now flowing
through the browser and hence is subject to a
man-in-the-browser capture and replay attack.<br
class="">
<br class="">
Thanks,<br class="">
George<br class="">
<br class="">
<div class="moz-cite-prefix">On 10/2/17 10:31 AM, Filip
Skokan wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:CALAqi_9drLBE_-Kb909rw+4bRA5mfL-6GFUtDz+WKpQU38Epig@mail.gmail.com"
class="">
<div dir="ltr" class="">
<div class="">Original question was purely concerned
about the OPs accepting a JWT formatted access
tokens in places where ID Token is expected, e.g.
id_token_hint for authorization or logout request.<br
class="">
</div>
<div class=""><br class="">
</div>
<div class="">Is that something to be concerned
about?</div>
<div class=""><br class="">
</div>
<div class="">
<div class="gmail_extra">
<div class="">
<div class="gmail_signature"
data-smartmail="gmail_signature">Best,<br
class="">
<b class="">Filip Skokan</b></div>
</div>
<br class="">
<div class="gmail_quote">On Mon, Oct 2, 2017 at
4:28 PM, George Fletcher <span dir="ltr"
class=""><<a
href="mailto:gffletch@aol.com"
target="_blank" moz-do-not-send="true"
class="">gffletch@aol.com</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px
#ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"
class=""> In the cases you've run
across... do they really use the id_token
as an access_token? or rather as a
bootstrap token into new refresh/access
tokens? Given that in most cases id_tokens
do not contain scopes it seems weird to
use them as access tokens (the different
between authentication and authorization).<br
class="">
<br class="">
Thanks,<br class="">
George
<div class="">
<div class="h5"><br class="">
<br class="">
<div
class="m_9065664049678016792moz-cite-prefix">On
10/2/17 3:02 AM, Dominick Baier via
Openid-specs-ab wrote:<br class="">
</div>
<blockquote type="cite" class="">
<div
id="m_9065664049678016792bloop_customfont"
style="font-family: Helvetica,
Arial; font-size: 13px; margin:
0px;" class="">We’ve come across a
number of implementations that
promote the use of id_tokens as
access tokens e.g. Microsoft Azure
AD (B2C), Google and Auth0.</div>
<div class=""><br class="">
</div>
<div class="">Every time we argue
with e.g. Microsoft - they say “we
did our own threat modelling and
its fine”. So maybe the spec
should be very explicit about why
this is not allowed or when
exactly this is OK or not.</div>
<div class=""><br class="">
</div>
<div class="">There is a long thread
here:</div>
<div class=""><a
href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_IdentityServer_IdentityServer3_issues_2015&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=mdDV8XhVQVLAfkuK-l3w8eRNsa67if9SJfSkAbg0sbc&s=V9Wy-oAo8x7-kicEYAtUPei6HGA6mPbfnp1j3iLfNrA&e="
target="_blank"
moz-do-not-send="true" class="">https://github.com/<wbr
class="">IdentityServer/<wbr
class="">IdentityServer3/issues/2015</a></div>
<br class="">
<div
id="m_9065664049678016792bloop_sign_1506927336596803072"
class="m_9065664049678016792bloop_sign">
<div class=""><br class="">
</div>
<div class="">-------</div>
<div class="">Dominick Baier</div>
</div>
<br class="">
<p
class="m_9065664049678016792airmail_on">On
29. September 2017 at 07:56:56,
Filip Skokan via Openid-specs-ab (<a
href="mailto:openid-specs-ab@lists.openid.net" target="_blank"
moz-do-not-send="true" class="">openid-specs-ab@lists.openid.<wbr
class="">net</a>) wrote:</p>
<blockquote type="cite"
class="m_9065664049678016792clean_bq"><span
class="">
<div class="">
<div class="">
<div dir="ltr" class="">
<div class="">Hello
everyone,</div>
<div class=""><br class="">
</div>
<div class="">I'm certain
you've came across
authorization servers
issuing JWT-formatted
Access Tokens by now.
Most frequently these
are following the JWT
profile just like an ID
Token does, opening up
the possibility an
Access Token is a
perfect ID Token
lookalike and can be
used i.e. as
id_token_hint.</div>
<div class="">
<ul class="">
<li class="">Is this a
valid concern?<br
class="">
</li>
<li class="">Shouldn't
the JWT "typ" header
parameter be used to
strong type the ID
Token (similar to
SETs secevent+jwt)?</li>
<li class="">Any other
way ID Tokens could
have a unique
required claims
making it possible
to differentiate
between JWT Access
Tokens and ID
Tokens?</li>
</ul>
<div class="">If not
part of the specs,
should the OPs
supporting JWT access
tokens be at least
recommended to push
unique claims to their
JWTs to be able to
distinguish between
the different JWT
uses?</div>
<div class=""><br
class="">
</div>
<div class="">Penny for
your thoughts.<br
class="">
</div>
<div class=""><br
class="">
</div>
</div>
<div class="">
<div
class="m_9065664049678016792gmail_signature">Best
Regards,<br class="">
<b class="">Filip
Skokan</b></div>
</div>
</div>
______________________________<wbr class="">_________________ <br
class="">
Openid-specs-ab mailing list
<br class="">
<a
href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank"
moz-do-not-send="true"
class="">Openid-specs-ab@lists.openid.<wbr
class="">net</a> <br
class="">
<a
href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=mdDV8XhVQVLAfkuK-l3w8eRNsa67if9SJfSkAbg0sbc&s=RVKEhccvJuz61dc-swlMFWP7QMKR5NpjgXqoEvTEyFc&e="
target="_blank"
moz-do-not-send="true"
class="">http://lists.openid.net/<wbr
class="">mailman/listinfo/openid-specs-<wbr
class="">ab</a> <br
class="">
</div>
</div>
</span></blockquote>
<br class="">
<fieldset
class="m_9065664049678016792mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="">______________________________<wbr class="">_________________
Openid-specs-ab mailing list
<a class="m_9065664049678016792moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" moz-do-not-send="true">Openid-specs-ab@lists.openid.<wbr class="">net</a>
<a class="m_9065664049678016792moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=mdDV8XhVQVLAfkuK-l3w8eRNsa67if9SJfSkAbg0sbc&s=RVKEhccvJuz61dc-swlMFWP7QMKR5NpjgXqoEvTEyFc&e=" target="_blank" moz-do-not-send="true">http://lists.openid.net/<wbr class="">mailman/listinfo/openid-specs-<wbr class="">ab</a>
</pre>
</blockquote>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
_______________________________________________<br
class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" class=""
moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a><br
class="">
<a class="moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=mdDV8XhVQVLAfkuK-l3w8eRNsa67if9SJfSkAbg0sbc&s=RVKEhccvJuz61dc-swlMFWP7QMKR5NpjgXqoEvTEyFc&e=">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=mdDV8XhVQVLAfkuK-l3w8eRNsa67if9SJfSkAbg0sbc&s=RVKEhccvJuz61dc-swlMFWP7QMKR5NpjgXqoEvTEyFc&e=</a>
<br class="">
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>