openid / connect / issues / #327 - Messages - Spec unnecessarily forbids use of the ID Token as an access token — Bitbucket

Issue #327 wontfix

Michael Jones created an issue 2011-11-17

Describing the ID Token, Messages currently says "It MUST NOT be used as an access token to access OAuth 2.0 protected resources."

How the token is used outside of login is absolutely no business of OpenID Connect’s unless we can prove a security hole which, in fact, we can’t. So this line needs to go.

Comments (2)

Nat Sakimura
Reject.

It was an explicit decision of the WG consensus to add this sentence. The ID Token may be used as a cookie in the browser, which would expose it to much more security risk than access_token in the code flow.

It is the other way round.

Unless we can prove that there is no additional security risk over normal access_token, we should not use it as access_token.
- 2011-11-17T17:27:21+00:00
Nat Sakimura
- changed status to wontfix
id_token is a token whose aud is the client.

Using it as access_token and sending it to somebody else is a security violation.
- 2011-11-17T23:43:56+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: wontfix

Component: –

Milestone: –

Version: –

Votes: 0

Watchers: 0

Jira: the preferred issue tracker for Bitbucket. Join the team!