W3C home > Mailing lists > Public > public-solid@w3.org > October 2020

Re: Authentication draft: difference between dpop-bound access token and oidc id token

From: divoplade <d@divoplade.fr>
Date: Tue, 06 Oct 2020 14:52:16 +0200
Message-ID: <567fea39fa410c8ae368ef77947734be889ce009.camel@divoplade.fr>
To: Aaron Coburn <acoburn@apache.org>, Michiel de Jong <michiel@unhosted.org>
Cc: public-solid <public-solid@w3.org>

Le mardi 06 octobre 2020 à 08:31 -0400, Aaron Coburn a écrit :
> Under OIDC, an ID token is for use by a client application. That
> client application may use that token to determine the user's name,
> profile image, etc. The OIDC specification requires that this token
> be structured as a JWT so that a client can rely on a single
> mechanism for parsing/validating that token. Notably, the aud
> (audience) claim in an ID token is the client_id. In other words, an
> ID token is for the client and should not be used elsewhere. And an
> ID token should *definitely not* be used for resource access.

This is what I was missing. It is only used between the client and the
identity provider. What is its use then? It is not used to get a dpop-
bound access token, since it is issued at the same time. The
informative basic flow section does not use it either. Should I infer
that it may be used to refresh the dpop-bound access token?

Received on Tuesday, 6 October 2020 12:52:57 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 6 October 2020 12:52:58 UTC