<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Isn’t there an audience issue here? <div class=""><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div class=""><span class="Apple-style-span" style="border-collapse: separate; line-height: normal; border-spacing: 0px;"><div class="" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div class=""><div class=""><div class="">Phil</div><div class=""><br class=""></div><div class="">Oracle Corporation, Identity Cloud Services Architect</div><div class="">@independentid</div><div class=""><a href="http://www.independentid.com" class="">www.independentid.com</a></div></div></div></div></span><a href="mailto:phil.hunt@oracle.com" class="" style="orphans: 2; widows: 2;">phil.hunt@oracle.com</a></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Oct 2, 2017, at 8:10 AM, George Fletcher via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="">openid-specs-ab@lists.openid.net</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">
<div text="#000000" bgcolor="#FFFFFF" class="">
If the JWT was issued by the same OP/AS it's being presented to as
an id_token_hint, and the OP can securely determine the user from
the access token then I don't think there are any security issues in
this flow. The biggest issue might be that the valid access token is
now flowing through the browser and hence is subject to a
man-in-the-browser capture and replay attack.<br class="">
<br class="">
Thanks,<br class="">
George<br class="">
<br class="">
<div class="moz-cite-prefix">On 10/2/17 10:31 AM, Filip Skokan
wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:CALAqi_9drLBE_-Kb909rw+4bRA5mfL-6GFUtDz+WKpQU38Epig@mail.gmail.com" class="">
<div dir="ltr" class="">
<div class="">Original question was purely concerned about the OPs
accepting a JWT formatted access tokens in places where ID
Token is expected, e.g. id_token_hint for authorization or
logout request.<br class="">
</div>
<div class=""><br class="">
</div>
<div class="">Is that something to be concerned about?</div>
<div class=""><br class="">
</div>
<div class="">
<div class="gmail_extra">
<div class="">
<div class="gmail_signature" data-smartmail="gmail_signature">Best,<br class="">
<b class="">Filip Skokan</b></div>
</div>
<br class="">
<div class="gmail_quote">On Mon, Oct 2, 2017 at 4:28 PM,
George Fletcher <span dir="ltr" class=""><<a href="mailto:gffletch@aol.com" target="_blank" moz-do-not-send="true" class="">gffletch@aol.com</a>></span>
wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF" class=""> In the cases
you've run across... do they really use the id_token
as an access_token? or rather as a bootstrap token
into new refresh/access tokens? Given that in most
cases id_tokens do not contain scopes it seems weird
to use them as access tokens (the different between
authentication and authorization).<br class="">
<br class="">
Thanks,<br class="">
George
<div class="">
<div class="h5"><br class="">
<br class="">
<div class="m_9065664049678016792moz-cite-prefix">On
10/2/17 3:02 AM, Dominick Baier via
Openid-specs-ab wrote:<br class="">
</div>
<blockquote type="cite" class="">
<div id="m_9065664049678016792bloop_customfont" style="font-family: Helvetica, Arial; font-size: 13px; margin: 0px;" class="">We’ve
come across a number of implementations that
promote the use of id_tokens as access tokens
e.g. Microsoft Azure AD (B2C), Google and
Auth0.</div>
<div class=""><br class="">
</div>
<div class="">Every time we argue with e.g. Microsoft -
they say “we did our own threat modelling and
its fine”. So maybe the spec should be very
explicit about why this is not allowed or when
exactly this is OK or not.</div>
<div class=""><br class="">
</div>
<div class="">There is a long thread here:</div>
<div class=""><a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_IdentityServer_IdentityServer3_issues_2015&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=mdDV8XhVQVLAfkuK-l3w8eRNsa67if9SJfSkAbg0sbc&s=V9Wy-oAo8x7-kicEYAtUPei6HGA6mPbfnp1j3iLfNrA&e=" target="_blank" moz-do-not-send="true" class="">https://github.com/<wbr class="">IdentityServer/<wbr class="">IdentityServer3/issues/2015</a></div>
<br class="">
<div id="m_9065664049678016792bloop_sign_1506927336596803072" class="m_9065664049678016792bloop_sign">
<div class=""><br class="">
</div>
<div class="">-------</div>
<div class="">Dominick Baier</div>
</div>
<br class=""><p class="m_9065664049678016792airmail_on">On
29. September 2017 at 07:56:56, Filip Skokan
via Openid-specs-ab (<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" moz-do-not-send="true" class="">openid-specs-ab@lists.openid.<wbr class="">net</a>)
wrote:</p>
<blockquote type="cite" class="m_9065664049678016792clean_bq"><span class="">
<div class="">
<div class="">
<div dir="ltr" class="">
<div class="">Hello everyone,</div>
<div class=""><br class="">
</div>
<div class="">I'm certain you've came across
authorization servers issuing
JWT-formatted Access Tokens by now.
Most frequently these are following
the JWT profile just like an ID
Token does, opening up the
possibility an Access Token is a
perfect ID Token lookalike and can
be used i.e. as id_token_hint.</div>
<div class="">
<ul class="">
<li class="">Is this a valid concern?<br class="">
</li>
<li class="">Shouldn't the JWT "typ" header
parameter be used to strong type
the ID Token (similar to
SETs secevent+jwt)?</li>
<li class="">Any other way ID Tokens could
have a unique required claims
making it possible to
differentiate between JWT Access
Tokens and ID Tokens?</li>
</ul>
<div class="">If not part of the specs,
should the OPs supporting JWT
access tokens be at least
recommended to push unique claims
to their JWTs to be able to
distinguish between the different
JWT uses?</div>
<div class=""><br class="">
</div>
<div class="">Penny for your thoughts.<br class="">
</div>
<div class=""><br class="">
</div>
</div>
<div class="">
<div class="m_9065664049678016792gmail_signature">Best
Regards,<br class="">
<b class="">Filip Skokan</b></div>
</div>
</div>
______________________________<wbr class="">_________________
<br class="">
Openid-specs-ab mailing list <br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" moz-do-not-send="true" class="">Openid-specs-ab@lists.openid.<wbr class="">net</a>
<br class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=mdDV8XhVQVLAfkuK-l3w8eRNsa67if9SJfSkAbg0sbc&s=RVKEhccvJuz61dc-swlMFWP7QMKR5NpjgXqoEvTEyFc&e=" target="_blank" moz-do-not-send="true" class="">http://lists.openid.net/<wbr class="">mailman/listinfo/openid-specs-<wbr class="">ab</a>
<br class="">
</div>
</div>
</span></blockquote>
<br class="">
<fieldset class="m_9065664049678016792mimeAttachmentHeader"></fieldset>
<br class="">
<pre class="">______________________________<wbr class="">_________________
Openid-specs-ab mailing list
<a class="m_9065664049678016792moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" moz-do-not-send="true">Openid-specs-ab@lists.openid.<wbr class="">net</a>
<a class="m_9065664049678016792moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMDaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=mdDV8XhVQVLAfkuK-l3w8eRNsa67if9SJfSkAbg0sbc&s=RVKEhccvJuz61dc-swlMFWP7QMKR5NpjgXqoEvTEyFc&e=" target="_blank" moz-do-not-send="true">http://lists.openid.net/<wbr class="">mailman/listinfo/openid-specs-<wbr class="">ab</a>
</pre>
</blockquote>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
</blockquote>
</div>
_______________________________________________<br class="">Openid-specs-ab mailing list<br class=""><a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class="">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=mdDV8XhVQVLAfkuK-l3w8eRNsa67if9SJfSkAbg0sbc&s=RVKEhccvJuz61dc-swlMFWP7QMKR5NpjgXqoEvTEyFc&e= <br class=""></div></blockquote></div><br class=""></div></body></html>