Messages 2.1.2 - Question about Authorization Code and ID Token

Issue #519 invalid
Michael Jones created an issue

Yaron Goland writes: "If someone is getting an authorization code then wouldn't it make sense to NOT return an ID token at all but rather return the ID token as part of exchange the authorization code? If we don't trust the bloody transport enough to hand out an access token why the hell are we trusting it with PII?"

Comments (2)

  1. John Bradley

    They can do that by just asking for code.

    If the client is non SSL then they may want to ask for code id_token.

    Code would be passed back to the host, but the id_token could be consumed by JS in the browser and validated separately.

    Given that the id_token is audience restricted and has replay protection, it's interception is less of an issue than a long lived access token.

    The other reason to do it is that you need to use code to get a refresh token. You may want to get id_token in the front channel to quickly customize the UI while fetching refresh and access tokens in the background.

    It depends on the use case we support several options.

    John

  2. Log in to comment