openid / connect / issues / #519 - Messages 2.1.2 - Question about Authorization Code and ID Token — Bitbucket

Issue #519 invalid

Michael Jones created an issue 2012-01-19

Yaron Goland writes: "If someone is getting an authorization code then wouldn't it make sense to NOT return an ID token at all but rather return the ID token as part of exchange the authorization code? If we don't trust the bloody transport enough to hand out an access token why the hell are we trusting it with PII?"

Comments (2)

John Bradley
They can do that by just asking for code.

If the client is non SSL then they may want to ask for code id_token.

Code would be passed back to the host, but the id_token could be consumed by JS in the browser and validated separately.

Given that the id_token is audience restricted and has replay protection, it's interception is less of an issue than a long lived access token.

The other reason to do it is that you need to use code to get a refresh token. You may want to get id_token in the front channel to quickly customize the UI while fetching refresh and access tokens in the background.

It depends on the use case we support several options.

John
- 2012-01-19T22:33:22+00:00
Michael Jones reporter
- changed status to invalid
Closing this as invalid on the basis of John's comments above
- 2012-01-20T00:14:51+00:00
Log in to comment

Assignee: –

Type: bug

Priority: minor

Status: invalid

Component: –

Milestone: –

Version: –

Votes: 0

Watchers: 0

Jira: the preferred issue tracker for Bitbucket. Join the team!