openid / connect / issues / #390 - Message, Standard - Why id_token not access_token? — Bitbucket

Issue #390 resolved

Nat Sakimura created an issue 2011-12-08

Nov, what was the reason for not having id_token as not an access_token to check_id endpoint?

I think it was something like that id_token can be big and blows up your framework.

If there is no problem, it would be easier to explain it as access_token to bearer endpoint.

Comments (13)

Michael Jones
The consensus on the working group call was that the ID Token should be an access token to the Check ID Endpoint and that the messages should be standard OAuth Bearer messages.
- 2011-12-08T23:37:48+00:00
Former user Account Deleted
My Ruby library is designed to extract (and validate expiry etc) in middleware layer. In that layer, acting in different way based on the requested endpoint is a tricky way. Of course, I can let my library users hardcode id_token supported endpoints in the middleware layer, or check token includes double "." etc., though.
- 2011-12-11T03:31:42+00:00
Nov Matake
sorry, I've commented as anonymous.
- 2011-12-11T03:33:24+00:00
Nat Sakimura reporter
- assigned issue to
  
  Nov Matake
- changed status to open
So, let me understand it clearly.

In OAuth implementations, there can be multiple protected resources which requires different access tokens. All the access tokens may be completely opaque.

How does the library handle these?
- 2011-12-11T05:11:58+00:00
Nov Matake
My library get an access token from header/body/query and confirm it's not expired/invalidated. So that application don't have to check token validity and just check its scope.

However, it seems many providers tend to use different format of access tokens with same token type. So I may have to re-think my library's structure.
- 2011-12-11T12:34:01+00:00
Michael Jones
- assigned issue to
  
  Nat Sakimura
Sounds like Nov has a workaround at least. Therefore, I'd recommend that we decide on Monday to go with the working group consensus from the last call and change the Check ID endpoint to be an actual OAuth protected resource.
- 2011-12-12T01:57:04+00:00
Michael Jones
- assigned issue to
  
  John Bradley
Also delete the sentence saying that the ID Token MUST NOT be used as an access token.
- 2011-12-12T21:01:11+00:00
John Bradley
re ~~#390~~ change check id to Bearer token

→ b8875fa6db23
- 2011-12-14T13:58:16+00:00
John Bradley
re ~~#390~~ remove prohibition against using id_token as access token in Sec 2.1.1

→ 1b0a48a85233
- 2011-12-14T14:51:39+00:00
John Bradley
re ~~#390~~ change check_id ti Bearer

→ 45ad6a23a372
- 2011-12-14T15:57:22+00:00
John Bradley
- changed status to resolved
Fixes ~~#390~~ change check id to Bearer token<

→ fc02082961ce
- 2011-12-14T16:08:22+00:00
John Bradley
re ~~#390~~ Sec 5.3 fix verification rule to match bearer

→ ac2528a9b65c
- 2011-12-14T18:48:00+00:00
John Bradley
change sec 5.3 to match bearer for check_id re ~~#390~~

→ 602c78ce3e62
- 2011-12-14T19:03:29+00:00
Log in to comment

Assignee: John Bradley

Type: bug

Priority: major

Status: resolved

Component: –

Milestone: –

Version: –

Votes: 0

Watchers: 0

Jira: the preferred issue tracker for Bitbucket. Join the team!